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Abstract 



We introduce the spi calculus, an extension of the pi calculus designed for 
describing and analyzing cryptographic protocols. We show how to use 
the spi calculus, particularly for studying authentication protocols. The pi 
calculus (without extension) suffices for some abstract protocols; the spi 
calculus enables us to consider cryptographic issues in more detail. We 
represent protocols as processes in the spi calculus and state their security 
properties in terms of coarse-grained notions of protocol equivalence. 
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1 Security and the Pi Calculus 



The spi calculus is an extension of the pi calculus [MPW92] with crypto- 
graphic primitives. It is designed for describing and analyzing security pro- 
tocols, such as those for authentication and for electronic commerce. These 
protocols rely on cryptography and on communication channels with prop- 
erties like authenticity and privacy. Accordingly, cryptographic operations 
and communication through channels are the main ingredients of the spi 
calculus. 

We use the pi calculus (without extension) for describing protocols at 
an abstract level. The pi calculus primitives for channels are simple but 
powerful. Channels can be created and passed, for example from authen- 
tication servers to clients. The scoping rules of the pi calculus guarantee 
that the environment of a protocol (the attacker) cannot access a channel 
that it is not explicitly given; scoping is thus the basis of security. In sum, 
the pi calculus appears as a fairly convenient calculus of protocols for secure 
communication. 

However, the pi calculus does not express the cryptographic operations 
that are commonly used for implementing channels in distributed systems: 
it does not include any constructs for encryption and decryption, and these 
do not seem easy to represent. Since the use of cryptography is notoriously 
error-prone, we prefer not to abstract it away. We define the spi calculus 
in order to permit an explicit representation of the use of cryptography in 
protocols. 

There are by now many other notations for describing security protocols. 

Some, which have long been used in the authentication literature, have a 
fairly clear connection to the intended implementations of those protocols 
(see, e.g., [NS78, Lie93]). Their main shortcoming is that they do not provide 
a precise and solid basis for reasoning about protocols. Other notations 
(e.g., [BAN89]) are more formal, but their relation to implementations may 
be more tenuous or subtle. The spi calculus is a middle ground: it is directly 
executable and it has a precise semantics. 

Because the semantics of the spi calculus is not only precise but intelligi- 
ble, the spi calculus provides a setting for analyzing protocols. Specifically, 
we can express security guarantees as equivalences between spi calculus pro- 
cesses. For example, we can say that a protocol keeps secret a piece of data 
X by stating that the protocol with X is equivalent to the protocol with X', 
for every X'. Here, equivalence means equivalence in the eyes of an arbitrary 
environment. The environment can interact with the protocol, perhaps at- 
tempting to create confusion between different messages or sessions. This 
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definition of equivalence yields the desired properties for our security appli- 
cations. (Interestingly, we cannot take the standard bisimilarity relation as 
our notion of equivalence.) Moreover, equivalence is not too hard to prove; 
we demonstrate this by carrying out the analysis of a few small protocols. 

Although the definition of equivalence makes reference to the environ- 
ment, we do not need to give a model of the environment explicitly. This 
is one of the main advantages of our approach. Writing such a model can 
be tedious and can lead to new arbitrariness and error. In particular, it is 
always difficult to express that the environment can invent random numbers 
but is not lucky enough to guess the random secrets on which a protocol 
depends. We resolve this conflict by letting the environment be an arbitrary 
spi calculus process. 

Our approach has some similarities with other recent approaches for 
reasoning about protocols. Like work based on temporal logics or pro- 
cess algebras (e.g., [GM95, Low96, Sch96a]), our method builds on a stan- 
dard concurrency formalism; this has obvious advantages but it also implies 
that our method is less intuitive than some based on ad hoc formalisms 
(e.g., [BAN89]). As in some modal logics (e.g., [ABLP93, LABW92]), wc em- 
phasize reasoning about channels and their utterances. As in state-transition 
models (e.g., [DY81, MCF87, Mil95a, Kem89, Mea92, Pau97]), we are in- 
terested in characterizing the knowledge of an environment. The unique 
features of our approach arc its reliance on the powerful scoping constructs 
of the pi calculus; the radical definition of the environment as an arbitrary 
spi calculus process; and the representation of security properties, both in- 
tegrity and secrecy, as equivalences. 

Our model of protocols is simpler, but poorer, than some models devel- 
oped for informal mathematical arguments (e.g., [BR95]) because the spi 
calculus does not include any notion of probability or complexity. It would 
be interesting to bridge the gap between the spi calculus and those models, 
perhaps by giving a probabilistic interpretation for our results. 

Contents of this Paper 

Section 2 introduces the pi calculus and our method of specifying authen- 
ticity and secrecy properties as equations. Section 3 extends the pi calculus 
with primitives for shared-key cryptography. Sections 4 and 5 define the 
formal semantics of the spi calculus and associated proof techniques, respec- 
tively. Section 6 uses these techniques in proofs of some of the properties 
stated earlier. Section 7 discusses how to add primitives for public-key 
cryptography to the pi calculus, and Section 8 offers some conclusions. The 
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Appendices contain some proofs and several sketches of partial encodings of 
the spi calculus in the pi calculus. 

Two conference papers contain part of the material of this paper, in 
preliminary form [AG97b, AG97c]. Other recent papers describe additional 
proof techniques [AG98] and a type system [Aba97] for the spi calculus. 

Note 

It has been said that Perl is a language that looks the same in clear and 
encrypted. The pi calculus, and a fortiori the spi calculus, arc not too far 
behind Perl in this respect. If you get lost in the formal passages of the 
paper, the cleartext nearby may help — hopefully the informal explanations 
convey the gist of what is being accomplished. 

2 Protocols using Restricted Channels 

In this section, we review the definition of the pi calculus informally. (We 
give a more formal presentation in Section 4.) We then introduce a new 
application of the pi calculus, namely its use for the study of security. 

2.1 Basics 

The pi calculus is a small but extremely expressive programming language. 
It is an important result of the search for a calculus that could serve as 
a foundation for concurrent computation, in the same way in which the 
lambda calculus is a foundation for sequential computation. 

Pi calculus programs are systems of independent, parallel processes that 
synchronize via message-passing handshakes on named channels. The chan- 
nels that a process knows about determine the communication possibilities 
of the process. Channels may be restricted, so that only certain processes 
may communicate on them. In this respect the pi calculus is similar to 
earlier process calculi such as CSP [Hoa85] and CCS [Mil89] . 

What sets the pi calculus apart from earlier calcuh is that the scope of a 
restriction — the program text in which a channel may be used — may change 
during computation. When a process sends a restricted channel as a message 
to a process outside the scope of the restriction, the scope is said to extrude, 
that is, it enlarges to embrace the process receiving the channel. Processes in 
the pi calculus are mobile in the sense that their communication possibilities 
may change over time; they may learn the names of new channels via scope 
extrusion. Thus, a channel is a transferable capability for communication. 
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A central technical idea of this paper is to use the restriction operator 
and scope extrusion from the pi calculus as a formal model of the possession 
and communication of secrets, such as cryptographic keys. These features 
of the pi calculus are essential in our descriptions of security protocols. 



2.2 Outline of the Pi Calculus 

There are in fact several versions of the pi calculus. Here we present the 
syntax and semantics of a particular version of the pi calculus; although this 
version is not the standard one, our choices should be relatively uncontro- 
versial. The differences with other versions are mostly orthogonal to our 
concerns. 

We assume an infinite set of names, to be used for communication chan- 
nels, and an infinite set of variables. We let m, n, p, q, and r range over 
names, and let x, y, and z range over variables. 

The set of terms is defined by the grammar: 

L,M,N::= terms 
n name 
(M, N) pair 
0 zero 
suc{M) successor 
X variable 

In the standard pi calculus, names are the only terms. For convenience 
we have added constructs for pairing and numbers, namely {M,N), 0, and 
suc{M), and we have also distinguished variables from names. (This dis- 
tinction simplifies the treatment of some equivalences.) 
The set of processes is defined by the grammar: 

P,Q,R::= processes 

M{N).P output 

M{x).P input 

P I Q composition 

(yn)P restriction 

\P replication 

[M is N] P match 

0 nil 

let (x, y) = M in P pair splitting 

case M of 0 : P suc{x) : Q integer case 
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In {un)P, the name n is bound in P. In M{x).P, the variable x is bound 
in P. In let (x, y) = M in P, the variables x and y are bound in P. In 
cose M of 0 : P suc{x) : Q, the variable x is bound in the second branch, 
Q. We write P[M/x] for the outcome of replacing each free occurrence of 
X in process P with the term M, and identify processes up to renaming of 
bound variables and names. We adopt the abbreviation M{N) for M{N).0. 
Intuitively, the constructs of the pi calculus have the following meanings: 

• The basic computational step and synchronization mechanism in the 
pi calculus is interaction, in which a term N is communicated from an 
output process to an input process via a named channel, m. 

— An output process m{N).P is ready to output on channel m. If 
an interaction occurs, term A'^ is communicated on m and then 
process P runs. 

— An input process m{x).P is ready to input from channel m. If 
an interaction occurs in which N is communicated on m, then 
process P[N/x\ runs. 

(The general forms M{N).P and M{x).P of output and input allow 
for the channel to be an arbitrary term M. The only useful cases are 
for M to be a name, or a variable that gets instantiated to a name.) 

• A composition P \ Q behaves as processes P and Q running in parallel. 
Each may interact with the other on channels known to both, or with 
the outside world, independently of the other. 

• A restriction {un)P is a process that makes a new, private name n, 
and then behaves as P. 

• A replication IP behaves as an infinite number of copies of P running 
in parallel. 

• A match [M is N] P behaves as P provided that terms M and N are 
the same; otherwise it is stuck, that is, it does nothing. 

• The nil process 0 does nothing. 

Since we added pairs and integers, we have two new process forms: 

• A pair splitting process let {x,y) = M in P behaves as P[N/x][L/y] 
if term M is the pair {N, L). Otherwise, the process is stuck. 
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• An integer case process case M of 0 : P suc{x) : Q behaves as P if 
term M is 0, as Q[N/x] if M is suc{N). Otherwise, the process is 
stuck. 

We write P ~ Q to mean that the behaviours of the processes P and 
Q arc indistinguishable. In other words, the processes P and Q may have 
different internal structure, but a third process R cannot distinguish running 
in parallel with P from running in parallel with Q. As far as R can tell, P 
and Q have the same properties (more precisely, the same safety properties) . 
We define the relation ~ in Section 4.2 as a form of testing equivalence. For 
now, it suffices to understand ~ informally. 

2.3 Examples using Restricted Channels 

Next we show how to express some abstract security protocols in the pi 
calculus. In security protocols, it is common to find channels on which 
only a given set of principals is allowed to send data or to listen. The set 
of principals may expand in the course of a protocol run, for example as 
the result of channel establishment. Remarkably, it is easy to model this 
property of channels in the pi calculus, via the restriction operation; the 
expansion of the set of principals that can access a channel corresponds to 
scope extrusion. 

We do not provide a systematic translation from another language for 
describing protocols into the pi calculus, but rather show some examples of 
protocols written directly in the pi calculus, along with informal descriptions 
of the kind commonly found in the security literature. We do introduce a 
fairly systematic approach for stating properties of protocols as pi calculus 
equivalences. 

2.3.1 A first example 

Our first example is extremely basic. In this example, there are two prin- 
cipals A and B that share a channel, cab', only A and B can send data or 
listen on this channel. The protocol is simply that A uses cab for sending 
a single message M to B. 

In informal notation, we may write this protocol as follows: 

Message 1 A^ B : M on cab 

A first pi calculus description of this protocol is: 

A{M) = cab{M) 
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B = cab{x).0 
Inst{M) = {ucab){A{M) \ B) 

The processes A{M) and B describe the two principals, and Inst{M) de- 
scribes (one instance of) the whole protocol. The channel cab is restricted; 
intuitively, this achieves the effect that only A and B have access to cab- 

In these definitions, A(M) and Inst{M) are processes parameterized by 
M. More formally, we say that A and Inst are abstractions, and treat the 
M's on the left of = as bound parameters. Roughly, abstractions are func- 
tions that map terms to processes. (Section 5.1 contains a precise definition 
of abstractions.) Abstractions can of course be instantiated (applied); for 
example, the instantiation A{d) yields cab(O). The standard rules of sub- 
stitution govern application, forbidding parameter captures; for example, 
expanding Inst{cAB) would require a renaming of the bound occurrence of 
Cab in the definition of Inst. 

The first pi calculus description of the protocol may seem a little futile 
because, according to it, B does nothing with its input. A more useful and 
general description says that B runs a process F with its input. We revise 
our definitions as follows: 

A{M) ^ cab{M) 
B = cab{x).F{x) 
Inst{M) = {ucab){A{M) \ B) 

Informally, F{x) is simply the result of applying F to x. More formally, F 
is an abstraction, and F{x) is an instantiation of the abstraction. We adopt 
the convention that the bound parameters of the protocol (in this case, M, 

cab^ and .x) cannot occur free in F. 

This protocol has two important properties: 

• Authenticity (or integrity): B always applies F to the message M 
that A sends; an attacker cannot cause B to apply F to some other 
message. 

• Secrecy: The message M cannot be read in transit from A to B: if F 
does not reveal M, then the whole protocol does not reveal M. 

The secrecy property can be stated in terms of equivalences: if F{M) ~ 
F(M') for all M and M', then Inst{M) ~ Inst{M'). This means that if 
F{M) is indistinguishable from F{M'), then the protocol with message M 
is indistinguishable from the protocol with message M'. 
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There are many sensible ways of formalizing the authenticity property. 
In particular, it may be possible to use notions of refinement or a suitable 
program logic. However, we choose to write authenticity as an equivalence, 
for economy. This equivalence compares the protocol with another protocol. 
Our intent is that the latter protocol serves as a specification. In this case, 
the specification is: 

A{M) ^ cab{M) 
BspeciM) = cab{x).F{M) 

Instspec{M) = {i^Cab){A{M) I Bspec{M)) 

The principal A is as usual, but the principal B is replaced with a variant 
Bspec{M); this variant receives an input from A and then acts like B when 
B receives M. We may say that Bspec{M) is a "magical" version of B that 
knows the message M sent by A, and similarly Inst spec is a "magical" version 
of Inst. 

Although the specification and the protocol are similar in structure, the 
specification is more evidently "correct" than the protocol. Therefore, we 
take the following equivalence as our authenticity property: Inst{M) c± 

Instspec{M), for all M. 
In summary, we have: 

Authenticity: Inst{M) ~ Instspec{M), for all M. 

Secrecy: Inst{M) ~ Inst{M') if F{M) ~ F(M'), for ah M, M' . 

Each of these equivalences means that two processes being equated are in- 
distinguishable, even when an active attacker is their environment. Neither 
of these equivalences would hold without the restriction of channel cab- 
We prove these equivalences in Section 6, which contains proofs for all our 
examples. 

2.3.2 An example with channel establishment 

A more interesting variant of our first example is obtained by adding a chan- 
nel establishment phase. In this phase, before they communicate any data, 
the principals A and B obtain a new channel with the help of a server S. 

There are many different ways of establishing a channel, even at the 
abstract level at which we work here. The one we describe is inspired by the 
Wide Mouthed Prog protocol [BAN89] , which has the basic structure shown 
in Figure 1. 
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Figure 1: Structure of the Wide Mouthed Frog Protocol 

We consider an abstract and simplified version of the Wide Mouthed Frog 
protocol. Our version is abstract in that we deal with channels instead of 
keys; it is simplified in that channel establishment and data communication 
happen only once (so there is no need for timestamps). In the next section 
we show how to treat keys and how to allow many instances of the protocol, 
with an arbitrary number of messages. 

Informally, our version is: 

Message 1 S : cab on cas 

Message 2 S ^ B : cab on csb 
Message 3 A—>B: M on cab 

Here cas is ^ channel that A and S share initially, is a channel that S 
and B share initially, and cab is a channel that A creates for communication 
with B. After passing the channel cab to B through S, A sends a message 
M on Cab- Note that S does not use the channel, but only transmits it. 
In the pi calculus, we formulate this protocol as follows: 

{i^cab)cas{cab)-cab{M) 
cas{x).c^{x) 
csB{x).x{y).F{y) 
{ucAs){ycsB){A{M) \S\B) 

Here we write F{y) to represent what B does with the message y that it 
receives, as in the previous example. The restrictions on the channels cas-, 
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csB, and Cab reflect the expected privacy guarantees for these channels. The 
most salient new feature of this specification is the use of scope extrusion: 
A generates a fresh channel cab, and then sends it out of scope to B via 
S. We could not have written this description in formalisms such as CCS 
or CSP; the use of the pi calculus is important. 

For discussing authenticity, we introduce the following specification: 

{^^ cab) CAS {cab) .cab{M) 
cas{x).csb{x) 
csB{x).x{y).F{M) 
{ucas){i^csb){A{M) I S I S.„ec(M)) 

According to this specification, the message M is communicated "magi- 
cally": the process F is applied to the message M that A sends indepen- 
dently of whatever happens during the rest of the protocol run. 
We obtain the following authenticity and secrecy properties: 

Authenticity: Inst{M) ~ InstspedM), for all M. 

Secrecy: Inst{M) ~ Inst{M') if F{M) ~ F(M'), for all M, M' . 

Again, these properties hold because of the scoping rules of the pi calculus. 
2.3.3 Discussion 

We believe that the two examples just given are rather encouraging. They 
indicate that the pi calculus is a natural language for describing some se- 
curity protocols. In particular, the restriction operator and scope extrusion 
allow convenient representations for the possession and communication of 
channels. 

Wc do not wish to suggest that the pi calculus enables us to describe 
all security protocols, even at an abstract level. For example, some proto- 
cols rely on asymmetric channels (channels of the kind implemented with 
public-key cryptography [DH76, RSA78]). It may be possible to represent 
such asymmetric channels in the pi calculus but extending the pi calculus 
may be simpler and more effective. However, the restriction operator and 
scope extrusion should be useful for describing security protocols even in 
extensions of the pi calculus. 
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3 Protocols using Cryptography 



Just as there are several versions of the pi calculus, there are several ver- 
sions of the spi calculus. These differ in particular in what cryptographic 
constructs they include. 

In this section we introduce a relatively simple spi calculus, namely the 
pi calculus extended with primitives for shared-key cryptography. We then 
write several protocols that use shared-key cryptography in this calculus. 

As in Section 2, the presentation is rather informal. Later sections con- 
tain further formal definitions. Throughout the paper, we often refer to the 
calculus presented in this section as "the" spi calculus; but we define other 
versions of the spi calculus in Section 7. 

3.1 The Spi Calculus with Sheired-Key Cryptography 

The syntax of the spi calculus is an extension of that of the pi calculus. 
In order to represent encrypted messages, we add a clause to the syntax of 
terms: 

L, M, N ::= terms 

as in Section 2.2 
{M}]\f shared-key encryption 

In order to represent decryption, we add a clause to the syntax of processes: 

P,Q ::= processes 

as in Section 2.2 
case L of {xj^v in P shared-key decryption 

The variable x is bound in P. 

Intuitively, the meaning of the new constructs is as follows: 

• The term {M} tv represents the ciphertext obtained by encrypting the 
term M under the key N using a shared-key cryptosystem such as 
DES [DES77]. 

• The process case L of {x}n in P attempts to decrypt the term L with 
the key N. If L is a ciphertext of the form {M}n, then the process 
behaves as P[M/x]. Otherwise, the process is stuck. 

Implicit in this definition are some standard but significant assumptions 
about cryptography: 
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• The only way to decrypt an encrypted packet is to know the corre- 
sponding key. 

• An encrypted packet does not reveal the key that was used to encrypt 
it. 

• There is sufficient redundancy in messages so that the decryption algo- 
rithm can detect whether a ciphertext was encrypted with the expected 
key. 

It is not assumed that all messages contain information that allows each 
principal to recognize its own messages (cf. [BAN89]). 

The semantics of the spi calculus can be formalized in much the same 
way as the semantics of the pi calculus. We carry out this formalization 
in Section 4. The most interesting issues in this formalization concern the 
notion of equivalence. Again, we write P Q to mean that the behaviours 
of the processes P and Q are indistinguishable. However, the notion of 
indistinguishability is complicated by the presence of cryptography. 

As an example of these complications, consider the following process: 

P(M) ^ {i^K)c{{M}k) 

This process simply sends M under a new key K on a public channel c; 
the key K is not transmitted. Intuitively, we would like to be able to say 
that P(M) and P{M') arc indistinguishable, for any M and M', because an 
observer cannot discover K and hence cannot tell whether M or M' is sent 
under K. On the other hand, P{M) and P(M') are clearly different, since 
they transmit different messages on c. A fine-grained equivalence — such as 
the standard strong bisimilarity — would distinguish P{M) and P{M'). Our 
equivalence is coarse-grained enough not to make this unwanted distinction. 

3.2 Examples using Shared-Key Cryptography 

The spi calculus enables more detailed descriptions of security protocols 
than the pi calculus. While the pi calculus enables the representation of 
channels, the spi calculus also enables the representation of the channel 
implementations in terms of cryptography. In this section we show a few 
example cryptographic protocols. 

As in the pi calculus, scoping is the basis of security in the spi calculus. In 
particular, restriction can be used to model the creation of fresh, unguessable 
cryptographic keys. Restriction can also be used to model the creation of 
fresh nonces of the sort used in challenge-response exchanges. 



12 



Security properties can still be expressed as equivalences, although the 
notion of equivalence is more delicate, as we have discussed. 

3.2.1 A first cryptograpfiic example 

Our first example is a cryptographic version of the example of Section 2.3.1. 
We consider two principals A and B that share a key Kab] in addition, we 
assume there is a public channel cab that A and B can use for communica- 
tion, but which is in no way secure. The protocol is simply that A sends a 
message M under Kab to B, on cab- 

Informally, we write this protocol as follows: 

Message 1 A^ B : {M}^^^ on cab 

In the spi calculus, we write: 

A{M) ^ cab{{M}k^^) 

B = CAB{x).case x of {yj^As F{y) 
Inst{M) = {i^Kab){A{M) I B) 

According to this definition, A sends {M}kab while B listens for a 

message on cab- Given such a message, B attempts to decrypt it using Kab', 
if this decryption succeeds, B applies F to the result. The assumption that A 
and B share Kab gives rise to the restriction on Kab, which is syntactically 
legal and meaningful although Kab is not used as a channel. On the other 
hand, cab is not restricted, since it is a public channel. Other principals 
may send messages on cab, so B may attempt to decrypt a message not 
encrypted under Kab', in that case, the protocol will get stuck. We are not 
concerned about this possibility, but it would be easy enough to avoid it by 
writing a slightly more elaborate program for B. 
We use the following specification: 

AiM) ^ cab{{M}k^^) 
Bspec{M) = CAB{x)-case x of {y}KAB F{M) 

Instspec{M) = {uKAB){A{M)\Bspec{M)) 

and we obtain the properties: 

Authenticity: Inst{M) ~ InstspedM), for all M. 

Secrecy: Inst{M) ~ Inst{M') if F{M) ~ F(M'), for all M, M'. 
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Intuitively, authenticity holds even if the key Kab is somehow compro- 
mised after its use. Many factors can contribute to key compromise, for 
example incompetence on the part of protocol participants, and malice and 
brute force on the part of attackers. We cannot model all these factors, but 
we can model deliberate key publication, which is in a sense the most ex- 
treme of them. It suffices to make a small change in the definitions of B and 
Bspeci SO that they send Kab on a public channel after receiving {Mj^^^. 
This change preserves the authenticity equation, but clearly not the secrecy 
equation. 

There is an apparent correspondence between the protocol of this section 
and that of Section 2.3.1, which does not use cryptography. Informally, 
we may say that this is a cryptographic implementation of the protocol 
of Section 2.3.1. More precisely, we conjecture that this protocol is an 
implementation of the parallel composition of the protocol of Section 2.3.1 
with {i/n){cAB{n)). (Our notion of implementation is a testing preorder; see 
Section 4.) The role of {un){cAB{n)) is to send a "decoy message" on cab- 
This decoy is needed because an environment can detect whether cab is used 
or not, and hence (in absence of the decoy) can distinguish the protocol of 
this section from that of Section 2.3.1. 

We do not study implementation relations in this paper. However, we 
do believe that such relations are important and that they deserve more at- 
tention in the field of security. We view this example of an implementation 
relation as an intriguing novelty; it suggests the possibility of hierarchical 
development of cryptographic protocols from non-cryptographic specifica- 
tions. 

3.2.2 An example with key establishment 

In cryptographic protocols, the establishment of new channels often means 
the exchange of new keys. There are many methods (most of them flawed) 
for key exchange. The following example is the cryptographic version of that 
of Section 2.3.2, and uses a simplified form of the Wide Mouthed Frog key 
exchange. The example is represented in Figure 2. 

In the Wide Mouthed Frog protocol, the principals A and B share keys 
Kas and KsB respectively with a server S. When A and B want to com- 
municate securely, A creates a new key Kab, sends it to the server under 
Kas, and the server forwards it to B under Ksb- Since all communication 
is protected by encryption, communication can take place through public 
channels, which we write cas, csb, and cab- Informally, a simplified version 
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Figure 2: Sketch of the Wide Mouthed Frog Protocol 



of this protocol is: 

Message 1 A-^ S : {Kab}kas '^as 
Message 2 S ^ B : {Kab}ksb on csb 
Message 3 A ^ B : {M}kab on cab 

In the spi calculus, we can express this message sequence as follows: 

A{M) ^ {uKab){cas{{Kab}kas)-^{{M}kab)) 

S = CAs{x).case x of {y}KAs c^{{y}KsB) 

B = csB{x).case x of {y}KsB 

CAB{z).case z of {w}y in F{w) 

Inst{M) = {vKas){i^Ksb){A{M)\S\B) 

where F{w) is a process representing the rest of the behaviour of B upon re- 
ceiving a message w. Notice the essential use of scope extrusion: A generates 
the key Kab and sends it out of scope to B via S. 

Following our usual pattern, we introduce a specification for discussing 
authenticity: 

A{M) ^ {yKAB)icAs{{KAB}KAs)-'^(W}KAB)) 

S = CAs{x).case x of {y}KAs c§^{{y}KsB) 

Bspec{M) = csB{x).case x of {y}KsB ^"^ 

CAB{z).case z of {w^y in F(M) 

InstspeciM) ^ {uKas){i^Ksb){A{M) \ S \ BspeciM)) 
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One may be concerned about the apparent complexity of this specifi- 
cation. On the other hand, despite its complexity, the specification is still 
more evidently "correct" than the protocol. In particular, it is still evident 
that Bspec{M) applies F to the data M from A, rather than to some other 
message chosen as the result of error or attack. 

We obtain the usual properties of authenticity and secrecy: 

Authenticity: Inst{M) ~ InstspedM), for all M. 

Secrecy: Inst{M) ~ Inst{M') if F{M) ~ F(M'), for all M, M'. 

3.2.3 A complete authentication example (with a flaw) 

In the examples discussed so far, channel establishment and data commu- 
nication happen only once. As we demonstrate now, it is a simple matter 
of programming to remove this restriction and to represent more sophisti- 
cated examples with many sessions between many principals. However, as 
the intricacy of our examples increases, so does the opportunity for error. 
This should not be construed as a limitation of our approach, but rather 
as the sign of an intrinsic difficulty: many of the mistakes in authentication 
protocols arise from confusion between sessions. 

We consider a system with a server S and n other principals. We use 
the terms suc{0), suc{suc{0)), . . . , which we abbreviate to 1, 2, . . . , as the 
names of these other principals. We assume that each principal has an input 
channel; these input channels are public and have the names C\, C2, . . . , c„ 
and cs- Wc also assume that the server shares a pair of keys with each 
other principal, one key for each direction: principal i uses a key Kis to 
send to S and a different key Ksi to receive from 5, for 1 < i < n. In the 
Wide Mouthed Prog protocol, as in many other small protocols, the keys 
Kis and Ksi are identical; our use of two different keys simplifies reasoning 
by making it impossible to confuse certain messages. 

We extend our standard example to this system of n + 1 principals, with 
the following message sequence: 

Message 1 S : A, {B, Kab}kas 

Message 2 S ^ B : {A, Kab}ksb on cb 
Message 3 A^ B : A, {M}kab on cb 

Here A and B range over the n principals. The names A and B appear in 

messages in order to avoid ambiguity; when these names appear in clear, 
they function as hints that help the recipient choose the appropriate key 
for decryption of the rest of the message. The intent is that the protocol 
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can be used by any pair of principals, arbitrarily often; concurrent runs are 
allowed. 

As it stands, the protocol is seriously flawed; a correct protocol appears 
below, in Section 3.2.4. (The flaws and their fixes should be clear to readers 
knowledgeable in security.) However, we continue to discuss the protocol in 
order to explain our method for representing it in the spi calculus. 

In our spi calculus representation, we use several convenient abbrevia- 
tions. First, we rely on pair splitting on input and on decryption: 

c{xi,X2)-P = c{y).let (xi,X2) = y in P 
case L of {xi,X2}n in P = case L of {y}N in l&t {xi,X2) = y in P 

where variable y does not occur free in P. Second, we need the standard 

notation for the composition of a finite set of processes. Given a finite 
family of processes Pi, ... , P^, we let nieL.fe Pi be their k-way composition 
Pi I • • • I Pfc . Finally, we omit the inner brackets from an encrypted pair 
of the form {{N, N')}pfii , and simply write {AT, AT'jjv", as is common in 
informal descriptions. 

Informally, an instance of the protocol is determined by a choice of par- 
ties (who is A and who is B) and by the message sent after key establishment. 
More formally, an instance 7 is a triple M) such that i and j are prin- 
cipals and M is a message. We say that i is the source address and j the 
destination address of the instance. Moreover, we assume that there is an 
abstraction F representing the behaviour of any principal after receipt of 
Message 3 of the protocol. For an instance {i,j,M) that runs as intended, 
the argument to F is the triple {i.j, M). 

Given an instance {i,j, M), the following process corresponds to the role 
of A: 

Send{i,j,M) ^ {uK){cs{{i,{i,K}K,s))\cj{{i,{M}K))) 

The sending process creates a key K and sends it to the server, along with 
the names i and j of the principals of the instance. The sending process also 
sends M under K, along with its name i. We have put the two messages 
in parallel, somewhat arbitrarily; but putting them in sequence would have 
much the same effect. 

The following process corresponds to the role of B for principal j: 

Recv{j) = Cj{y cipher) 

.case y cipher 

of {xA-,Xkey}Ksj 
Cji^ZA-i Zcipher)-\XA is Za] 

case Zf-ipfier of {Zpiain\xiii.y in P{xAj j^i Zpiaiji) 
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The receiving process waits for a message y cipher from the server, extracts a 
key Xkey from this message, then waits for a message Zdpher under this key, 
and finally applies F to the name xa of the presumed sender, to its own 
name j , and to the contents Zpiam of the message. The variables xa and za 
are both intended as the name of the sending process, so they are expected 
to match. 

The server S is the same for all instances: 

^ ^si.-^ At X cipher) • 

U.iGi..n[xA isi] case x^pher of {xB,Xkey}Kis in 

Ujel..n[xB isi] Cj{{xA,Xkey}Ksj) 

The variable xa is intended as the name of the sending process, as 
the name of the receiving process, Xkey as the new key, and x cipher as the 
encrypted part of the first message of the protocol. In the code for the 
server, we program an n-way branch on the name xa by using a parallel 
composition of processes indexed by i G l..n. We also program an n-way 
branch on the name Xb, similarly. (This casual use of multiple threads is 
characteristic of the pi calculus; in practice the branch could be implemented 
more efficiently, but here we are interested only in the behaviour of the 
server, not in its efficient implementation.) 

Finally we define a whole system, parameterized on a list of instances of 
the protocol: 

Sys{Ii, ...,Im) = (i^Kis) {i^Ksj) 

(Sendih) I • • • I Send{Im) \ 
\S I 

\Recv{l) I • • • I \Recv{n)) 

where {vKis){vKsj) stands for {uKis) . . . {uKns){yKsi) ■ . . {vKsn)- The 
expression Sys{Ii, . . . , represents a system with m instances of the pro- 
tocol. The server is replicated; in addition, the replication of the receiving 
processes means that each principal is willing to play the role of receiver in 
any number of runs of the protocol in parallel. Thus, any two runs of the 
protocol can be simultaneous, even if they involve the same principals. 

As before, we write a specification by modifying the protocol. The style 
of this specification is somewhat more complex than that used in previous 
examples, but it has the advantage of accommodating multiple sessions. 
For this specification, we revise both the sending process and the receiving 
process, but not the server: 

Sendspec{hj,M) = {iyp){Send{i,j,p) \ p{x).F{i,i, M)) 
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ReCVspecU) 



A 



CjijJ cipher) -(^OiSa y cipher of {xAiXkey^Ksj 
1 ^ cipher) \x A ^a] 



SySgpeci-^i^ • • ■ 5 



A 




\s I 

[Recvspeci^) I • • • I lRecVspec{n)) 



In this specification, the sending process for instance {i,j,M) is as in the 
implementation, except that it sends a fresh channel name p instead of M, 
and runs F{i, j, M) when it receives any message on p. The receiving process 
in the specification is identical to that in the implementation, except that 
F'iyA, j , Zpiain) is replaced with Zpiain{*), where the symbol * represents a 
fixed but arbitrary message. The variable Zpiain will be bound to the fresh 
name p for the corresponding instance of the protocol. Thus, the receiving 
process will signal on p, triggering the execution of the appropriate process 



A crucial property of this specification is that the only occurrences of F 
arc bundled into the description of the sending process. There, F is applied 
to the desired parameters, {i,j,M). Hence it is obvious that an instance 
M) will cause the execution of F{i' ,j' , M') only if i' is i, / is j, and M' 
is M. Therefore, despite its complexity, the specification is more obviously 
"correct" than the implementation. 

Much as in previous examples, we would like the protocol to have the 
following authenticity property: 

Sys{Ii, ...,Irn)- Sysgp^cih, ...,Im), for any instances h, . . . , Im- 

Unfortunately, the protocol is vulnerable to a replay attack that invalidates 
the authenticity equation. Consider the system Sys{I, I') where / = {i, j, M) 
and /' = (i, j, M'). An attacker can replay messages of one instance and get 
them mistaken for messages of the other instance, causing M to be passed 
twice to F. Thus, Sys{I, I') can be made to execute two copies of F{i, j, M). 
In contrast, no matter what an attacker does, Sys gp^^{I , I') will run each of 
j, M) and F{i^ j, M') at most once. The authenticity equation therefore 
does not hold. We disprove it more formally in Section 6.4. 
We leave the discussion of secrecy for the next example. 



F{hi,M). 
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3.2.4 A complete authentication example (repaired) 

We now improve the protocol of the previous section by adding nonce hand- 
shakes as protection against replay attacks. The Wide Mouthed Prog pro- 
tocol uses timcstamps instead of handshakes. The treatment of timestamps 
in the spi calculus is possible, but it requires additional elements, including 
at least a rudimentary account of clock synchronization. Protocols that use 
handshakes are fundamentally more self-contained than protocols that use 
timcstamps; therefore, handshakes make for clearer examples. 
Informally, our new protocol is: 



Message 1 


A 


S : 


A 


on cs 


Message 2 


S 


^ A : 


Ns 


on CA 


Message 3 


A 


^S: 


A,{A,A,B,Kab,Ns}kas 


on Cs 


Message 4 


S 


B : 


* 


on cb 


Message 5 


B 


S : 


Nb 


on cs 


Message 6 


S 


B : 


{S,A,B,Kab,Nb}ksb 


on Cb 


Message 7 


A 


^ B : 




on Cb 



Messages 1 and 2 are the request for a challenge and the challenge, respec- 
tively. The challenge is Ns, a nonce created by S; the nonce must not 
have been used previously for this purpose. Obviously the nonce is not se- 
cret, but it must be unpredictable (for otherwise an attacker could simulate 
a challenge and later replay the response [AN96]). In Message 3, A says 
that A and B can communicate under Kab, sometime after receipt of Ns- 
All the components A, B, Kab, Ns appear explicitly in the message, for 
safety [AN96], but A could perhaps be elided. The presence of Ns in Mes- 
sage 3 proves the freshness of the message. In Message 4, * represents a 
fixed but arbitrary message; S uses * to signal that it is ready for a nonce 
challenge Nb from B. In Message 6, S says that A says that A and B can 
communicate under Kab, sometime after receipt of Nb- The first field of 
the encrypted portions of Messages 3 and 6 {A or S) makes explicit the 
senders of the messages (somewhat redundantly). Pinally, Message 7 is the 
transmission of data under Kab- 

The messages of this protocol have many components. For the spi cal- 
culus representation it is therefore convenient to generalize our syntax of 
pairs to arbitrary tuples. We use the following standard abbreviation, given 
inductively for any k>2: 

{Ni,..-,Nk,Nk+i) = {{Ni,...,Nk),Nk+i) 

and similarly we write let {xi, . . . ,Xk) = N in P, c{xi, . . . ,Xk)-P, and 
case L of {xi, . . . , Xk}N in P- 
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In the spi calculus, we represent the nonces of this protocol as newly 
created names. We obtain the following spi calculus expressions: 

Send{i,j,M) ^ cs(i)| 

Ci{x nonce) • 

{uK) {cs{ (i, {i, i, i, K, X 

nonce 

S = cs{xA)-lliei..n[xAisi]{i^Ns){c-i{Ns) \ 

Csix[^,X cipher) -[x'a is l] 

case X^ipher of {jjAi ^Ai XBiXkeyiXnonce} Kis 

Ujei-niVA is i] [zA is i] [xb is [] [ nonce ^S Ns] 

nonce) -Cj {{S,i, jj X]~gy, y nonce} Ksj))) 

Recv{j) = Cj{w).{iyNB)ics{NB) \ 

{y cipher)' 

case ydpher of {xs, XAi Xb , Xkey, ynonce}Ksj 

UiGL.ni^S is S] [xA is i] [xb is i] [y nonce is Nb] 

5 ^cipher) \^ A '^A\ 
case ZQipiiQj- of {-^p/amia^fcey ^ plain)) 

Sys{Ii,...,Irn) = {T^Kis){uKsj) 

{Send{I\) I • • • I Send{Im) \ 
\S I 

[Recv{l) I • • • I [Recv{n)) 

The names Ng and Nb represent the nonces. The variable subscripts are 
hints that indicate what the corresponding variables should represent; for 
example, xa, x\^ yA, and za are all expected to be the name of the sending 
process, and Xnonce and ynonce are expected to be the nonces generated by 
S and B, respectively. 

The definition of SySgp^^ exactly analogous to that of the previous 
section, so we omit it. 

We now obtain the authenticity property: 

Sys{Ii, ...,Irn)- SySgp^cih, ...,Im), for any instances 7i, . . . , 7^. 

This property holds because of the use of nonces. In particular, the attack 
described in Section 3.2.3 can no longer distinguish Sys{Ii, . . . , Im) from 

^ys special-! • ■ • 1 ^m)- 

As a secrecy property, we would like to express that there is no way for 
an external observer to tell apart two executions of the system with identical 
participants but different messages. The secrecy property should therefore 
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assert that the protocol does not reveal any information about the contents 
of exchanged messages if none is revealed after the key exchange. 

In order to express that no information is revealed after the key ex- 
change, we introduce the following definition. We say that a pair of in- 
stances {i,j,M) and {i',j',M') is indistinguishable if the two instances 
have the same source and destination addresses {i = i' and j = j') and 
if M) ~ F{i,l,M'). 

Our definition of secrecy is that, if each pair (/i, Ji), . . . , (/^, J^) is 
indistinguishable, then Sys{Ii, . . . , Im) — Sys{Ji, . . . , J^). This means that 
an observer cannot distinguish two systems parameterized by two sets of 
indistinguishable instances. This property holds for our protocol. 

In summary, we have: 

Authenticity: Sys{Ii, . . . , I^) ~ Sys^p^^ih, 1^), 

for any instances Ji, . . . , Im- 
Secrecy: Sys{Ii, ...,/„) ~ Sys{Ji, . . . , J™), 

if each pair (/i, Ji), . . . , {Im, Jm) is indistinguishable. 

We could ask for a further property of anonymity, namely that the source 
and the destination addresses of instances be protected from eavesdroppers. 
However, anonymity holds neither for our protocol nor for most current, 
practical protocols. It would be easy enough to specify anonymity, should 
it be relevant. 

As suggested in Section 3.2.1, we could also consider a variant of the pro- 
tocol where some keys are compromised. For this protocol, the compromised 
keys could include both session keys and longer-term keys shared with S. 
Allowing the longer-term keys Kis and Kgi to be compromised is basically 
equivalent to considering the case where principal i may behave dishonestly 
and not follow the protocol. We believe that, even in the presence of dishon- 
est principals, the protocol guarantees security for sessions between honest 
principals. 

3.2.5 Discussion 

After these examples, it should be obvious that writing a protocol in the spi 
calculus is a little harder than writing it in the informal notations common 
in the literature. On the other hand, the spi calculus versions are more 
detailed. They make clear not only what messages are sent but also how the 
messages are generated and how they are checked. These aspects of the spi 
calculus descriptions add complexity, but they enable finer analysis. (Recall, 
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for example, that one of the mistakes in the CCITT X.509 protocol was to 
omit a timcstamp check [BAN89].) 

It should also be obvious that writing a protocol in the spi calculus 
is essentially analogous to writing it in any programming language with 
suitable communication and encryption libraries. The main advantage of 
the spi calculus is its formal precision. 

We cannot say that the spi calculus will be as good a tool for finding 
flaws in protocols as some of the logics listed in the introduction. On the 
other hand, the spi calculus seems to rest on firmer ground, so it yields more 
convincing proofs of correctness. 

4 Formal Semantics of the Spi Calculus 

In this section, we start the formal treatment of the spi calculus. In Sec- 
tion 4.1 we introduce the reaction relation; P ^ Q means there is a reaction 
between subprocesses of P such that the whole can take a step to process Q. 
Reaction is the basic notion of computation in both the pi calculus and the 
spi calculus. In Section 4.2, we give a precise definition of the equivalence 
relation c±, which we have used for expressing security properties. 

Syntactic Conventions 

The grammar of the spi calculus is given in Sections 2.2 and 3.1. It has two 
syntactic categories, of terms, ranged over by L, M, N, and of processes, 
ranged over by P, Q, R. The metavariables m, n, p, q, and r range over an 
infinite set of names. The metavariables x, y, and z range over a disjoint, 
infinite set of variables. 

We write fn{M) and fn{P) for the sets of names free in term M and 
process P respectively. Similarly, we write fv{M) and fv{P) for the sets of 
variables free in M and P respectively. We say that a term or process is 
closed to mean that it has no free variables. (To be able to communicate 
externally, a process must have free names.) The set Proc = {P | fv{P) = 0} 
is the set of closed processes. 

4.1 The Reaction Relation 

The reaction relation is a concise account of computation in the pi calculus 
introduced by Milner [Mil92], inspired by the Chemical Abstract Machine 
of Berry and Boudol [BB92]. One thinks of a process as consisting of a 
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chemical solution of molecules waiting to react. A reaction step arises from 
the interaction of the adjacent molecules m{N).P and m{x).Q, as follows: 

(React Inter) m{N).P \ m{x).Q P \ Q[N/x] 

Just as one might stir a chemical solution to allow non-adjacent molecules 
to react, we define a relation, structural equivalence, that allows processes 
to be rearranged so that (React Inter) is applicable. We first define the 
reduction relation > on closed processes: 



(Red Repl) 




[P 


> 


P 1 !P 


(Red Match) 




[M is M] P 


> 


P 


(Red Let) 


let (x, y) = 


-- (M, N) in P 


> 


P[M/x][N/y] 


(Red Zero) 


case 0 of 0 


: P suc{x) : Q 


> 


P 


(Red Sue) 


case suc{M) of 0 


: P suc{x) : Q 


> 


Q[M/x] 


(Red Decrypt) 


case {M}jv 


of {x}n in P 


> 


P[M/x] 



(The reduction relation is not found in previous accounts of the pi calculus; 
we introduce it here because it is useful also in the definition of commitment, 
given in Section 5.1.) We let structural equivalence, =, be the least relation 
on closed processes that satisfies the following equations and rules: 

(Struct Nil) P I 0 = P 

(Struct Comm) P\Q = Q\P 

(Struct Assoc) P \ {Q \ R) = {P \ Q) \ R 

(Struct Switch) (z/m)(z/n)P = (z^n)(z/m)P 

(Struct Drop) (z/n)0 = 0 

(Struct Extrusion) {un){P \ Q) = P\ {un)Q if n ^ fn{P) 

(Struct Red) (Struct Refl) (Struct Symm) 

P>Q P = Q 

P = Q P = P Q = P 

(Struct Trans) (Struct Par) (Struct Res) 

P = Q Q = R P = P' P = P' 

P = R P\Q = P'\Q {vm)P = {vm)P' 

Now we can complete the formal description of the reaction relation. We 
let the reaction relation, — be the least relation on closed processes that 
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satisfies (React Inter) and the following rules: 



(React Struct) 



P = P' P' ^Q' Q' = Q 
P^Q 



(React Par) (React Res) 

P^P' P^P' 



P\Q^P'\Q {vn)P {un)P' 



This definition of the reaction relation corresponds to the informal descrip- 
tion of process behaviour given in Sections 2.2 and 3.1. 

As an example, we can use the definition of the reaction relation to show 
the behaviour of the protocol of Section 3.2.2: 



Inst{M) = {uKAs){yKsB){A{M) \ S \ B) 
{vKas){i^Ksb){vKab) 

{cab{{M}k_^^) I csb{{Kab}ksb) I B) 
{vKas){t^Ksb){i^Kab) 

{cXb{{M}kab) I CAB{z).case z of {w}kab in F{w)) 
^ {uKAs){^KsB){yKAB)F{M) 
= F{M) 



The last step in this calculation is justified by our general convention that 
none of the bound parameters of the protocol (including, in this case, Kas, 
KsB, and Kab) occurs free in F. 

4.2 Testing Equivalence 

In order to define testing equivalence, we first define a predicate that de- 
scribes the channels on which a process can communicate. We let a barb, 
f3, be an input or output channel, that is, either a name m (representing 

input) or a co-name rn (representing output). For a closed process P, we 
define the predicate P exhibits barb (5, written P J, /?, by the two axioms: 



(Barb In) m{x).Pim 



(Barb Out) 



m{M).P i m 



and the three rules: 



(Barb Par) (Barb Res) 

P[I3 PIP f3^{m,m} 



(Barb Struct) 

P=Q QiP 



P\QiP {um)P i P 
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Intuitively, P i f3 holds just if P is a closed process that may input or output 
immediately on barb /3. The convergence predicate P -IJ- /3 holds if P is a 
closed process that exhibits P after some reactions: 

(Conv Barb) (Conv React) 

Pi/3 P^Q Qi^P 

Pi^P Pi^(3 

We let a test consist of any closed process R and any barb /?. A closed 
process P passes the test if and only if {P \ R) ij. (3. The notion of testing 
gives rise to a testing preorder C and to a testing equivalence ~ on the set 
Proc of closed processes: 

peg = for any test (P, /?), if (P | P) ^ /3 then (Q | P) ^ /? 
P~Q = PCQandgcP 

The idea of testing equivalence comes from the work of De Nicola and 

Henncssy [DH84]. In that work, tests are processes that contain the dis- 
tinguished name lo (instead of being parameterized by a barb (3). This is 
only a superficial difference, and we can show that our relation ~ is a ver- 
sion of De Nicola and Hennessy's may-testing equivalence. As De Nicola 
and Hennessy have explained, may-testing corresponds to partial correct- 
ness (or safety), while must-testing corresponds to total correctness. Like 
much of the security literature, our work focuses on safety properties, hence 
our definitions. 

One of the advantages of testing equivalence as the basis of our speci- 
fications of authenticity and secrecy is its simple definition in terms of the 
convergence predicate. A test neatly formalizes the idea of a generic ex- 
periment or observation that another process (such as an attacker) might 
perform on a process. Thus testing equivalence concisely captures the con- 
cept of equivalence in an arbitrary environment. 

According to our definitions, two closed processes P and Q are testing 
equivalent if their respective parallel compositions with a third process R 
behave similarly. It follows that P and Q can be used interchangeably in 
any context (not just in parallel with R). More precisely, testing equivalence 
is a congruence; that is, ~ is an equivalence relation with the property that 
if P c± Q then C[P] ~ C[Q] for any closed context C. (A closed context C is 
a closed process with a single hole; C[P] and C[Q] are the outcomes of filling 
the hole with P and Q, respectively.) 
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Proposition 1 

(1) Structural equivalence implies testing equivalence. 

(2) Testing equivalence is reflexive, transitive, and symmetric. 

(3) Testing equivalence is a congruence on closed processes. 

This proposition is essential for equational reasoning with testing equiva- 
lence. Its proof is in Appendix D, where we show that testing equivalence 
remains a congruence when extended to open processes. 

Testing equivalence is sensitive to the choice of language. Two processes 
that are testing equivalent in our calculus may not be testing equivalent after 
new constructs are added to the calculus. As Boreale and De Nicola have 
shown [BN95], testing equivalence becomes finer-grained in the presence 
of a mismatch construct ([M is not N] P). Our calculus does not include 
a mismatch construct because we have not found a need for it in writing 
protocols; however, such a construct is sensible and perhaps yields a better 
definition of testing equivalence. The same is true for other "negative" 
constructs that check whether a term is not a name, not a number, not a 
pair, or not encrypted under a given key. We believe that the results of this 
paper remain valid for a range of reasonable extensions of our calculus, but 
we leave the study of such extensions for future work. 

5 Semantic Notions Useful in Proofs 

This section develops proof techniques for the spi calculus, based on earlier 
work on the pi calculus. Section 5.1 defines the commitment relation, pro- 
viding in particular a characterization of the reaction relation. Section 5.2 
reviews the notions of strong bisimulation, barbed equivalence, and barbed 
congruence [MS92]. Finally, Section 5.3 introduces the underpinning rela- 
tion and shows its use for proofs of secrecy. 

In order to prove a testing equivalence directly, we need to consider ar- 
bitrary tests and arbitrary sequences of reactions. The use of structural 
equivalence to define reaction is elegant, but makes proofs a little awk- 
ward. One of the purposes of this section is to obtain a direct inductive 
characterization of reaction without appeal to structural equivalence, and a 
co-inductive method for proving testing equivalence. 



27 



5.1 The Commitment Relation 



The original semantics of the pi calculus (given in [MPW92]) is not based on 
the notion of reaction, but rather on a labelled transition system. Here we 

define a labelled-transition semantics for the spi calculus, imitating Milncr's 
recent lecture notes [Mil95b]. Despite differences in style, this semantics is 
essentially equivalent to the one of Section 4, so it can be used in proofs 
about that semantics. 

In order to define the labelled-transition semantics, we need some new 
syntactic forms: abstractions, concretions, and agents. An abstraction is an 
expression of the form {x)P, where a; is a bound variable and P is a process. 
Intuitively, {x)P is like the process p{x).P minus the name p. A concretion 
is an expression of the form {vnii, . . . ,mk){M)P, where M is a term, P 
is a process, fc > 0, and the names mi, . . . , are bound in M and P. 
Intuitively, {vmi, . . . , mk){M)P is like the process (vmi) . . . {i'mk)p{M)P 
minus the name p, provided p is not one of mi, . . . , m^. We often write 
concretions as {vrh){Ai)P, where rh = mi,...,mfc, or simply {i'){M)P if 
/c = 0. Finally, an agent is an abstraction, a process, or a concretion. We 
use the metavariables A and B to stand for arbitrary agents, and let fv{A) 
and fn{A) be the sets of free variables and names of an agent A, respectively. 

We extend the restriction and composition operators to arbitrary agents, 
as follows. For an abstraction, {x)P, we set: 

{um){x)P = {x){um)P 
R I {x)P = {x){R I P) 

assuming that x ^ fv{R). For a concretion, {un){M)Q, we set: 



{vm){vn){M)Q 



{vm,n){M)Q if m G /n(M) 
{vn){M){ym)Q otherwise 



R\{vn){M)Q = {vn){M){R\Q) 

assuming that m ^ {n} and that {n} n /n(i?) =0. We define the dual 
composition A \ R symmetrically. If F is the abstraction {x)P and C is the 
concretion {vn){M)Q, and {n}r\fn{P) = 0, we define the interactions F@C 
and C@F to be the processes given by: 

F@C = {un){P[M/x] I Q) 
C@F = {iyn){Q \ P[M/x]) 

When F is the abstraction {x)P, we may write F{M) for its instantiation to 
M, that is, for P[M/x]. With this notation, we have F@C = {un){F{M) \ 
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Q) and C@F = {un){Q \ F{M)). Intuitively, these processes are the possible 
immediate results of the encounter of F and C. Given a common name p, 
we have that F is like p{x).P and C is like {un)p{M)P^ so an interaction of 
F and C is a process obtained when p{x).P and {un)p{M)P, put in parallel, 
communicate on p. 

An action is a name m, a co-name m, or the distinguished silent action r. 
That is, an action is either a barb or r. The commitment relation is written 
P A, where P is a closed process, a is an action, and ^4 is a closed 
agent. We define this relation inductively, by the following rules: 



(Comm In) 



(Comm Out) 



m{x).P — > (x)P 
(Comm Inter 1) 

P F Q^C 
P\Q^ F@C 
(Comm Par 1) 
P^A 



m{M).P {iy){M)P 
(Comm Inter 2) 

P Q^F 

P\Q ^ C@F 
(Comm Par 2) 
Q^A 



P\Q^A\Q 
(Comm Res) 
P A a ^ {m,fn} 
{vm)P {vm)A 



P\Q^P\A 
(Comm Red) 
P>Q Q — 



P 



A 



Intuitively, (Comm In) says that an abstraction is the residue of an input 
commitment; (Comm Out) says that a concretion is the residue of an out- 
put commitment; and (Comm Inter 1) and (Comm Inter 2) say that the 
combination of an abstraction and a concretion gives an interaction. Thus, 
the commitment relation has a straightforward structural definition; that is 
its main appeal. 

Whenever P A, the action a is r, a name, or a co-name just if the 
agent A is a process, an abstraction, or a concretion, respectively. Therefore, 

the commitment relation indexed by r, is a binary relation on closed 

processes. We write ^— > for the reflexive and transitive closure of 
Moreover, we write P Q when there exists a process R such that 

P ^ RdJid R=Q. 

The following propositions connect the commitment relation with some 
of the formal notions of Section 4: exhibiting a barb, reaction, and testing. 
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Proposition 2 P [ (3 if and only if there exists an agent A such that 

pMa. 



Proposition 3 P ^ Q if and only if P — >= Q. 

Proposition 4 P passes a test {R, f3) if and only if there exist an agent A 
and a process Q such that P \ R — ^ Q and Q — ^ A. 

The proofs of these propositions are in Appendix B. 
5.2 Some Auxiliary Equivalences 

In this section, we describe several equivalences on processes that approxi- 
mate testing equivalence. In particular, in Section 5.2.3, we define barbed 
congruence, which is a stronger relation than testing equivalence but is some- 
times easier to prove directly. 

5.2.1 Strong bisimilarity 

We first recall the definition of strong bisimulation [Mil95b] . If 7?. is a relation 
on closed processes, we define the relation TZ on closed agents: 

P n Q m PTZQ 

{x)P n {x)Q iff P[M/x] n Q[M/x] for ah closed M 

{i'n){M)P TZ {iyrh){M)Q iff m is a permutation of n and P 7^ Q 

A strong simulation is a binary relation S C Proc x Proc such that il P S Q 
and P — > A then there exists B with Q — ^ B and AS B. A relation S is 
a strong bisimulation if and only if both S and its converse are strong 
simulations. 

Strong bisimilarity, written ~s, is the greatest strong bisimulation, name- 
ly the union of all strong bisimulations. Strong bisimilarity is a rather 
fine-grained equivalence for the spi calculus. For instance, it discriminates 
between the processes {vK)c{{M}k) and {uK)c{{M'}k), which we would 
wish to equate as we explained in Section 3.1. Still, strong bisimilarity is 
often useful in justifying particular steps of our proofs. 

5.2.2 Barbed equivalence 

Intuitively, one way of weakening strong bisimilarity is to ignore what mes- 
sages arc sent on what channels, and to record only what channels arc used. 
This informal idea leads to the concepts defined here and in Section 5.2.3. 
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A barbed simulation is a binary relation S C Proc x Proc such that P S Q 
impHes: 

(1) for each barb /?, if P | /? then Q [ (3, and 

(2) liP ^ P' then there exists Q' such that Q ^ Q' and P' =S= Q' 

where P' =S= Q' means that there exist P" and Q" such that P' = P", 
P" S Q" , and Q" = Q' . A barbed bisimulation is a relation S such that both 
S and <S~^ are barbed simulations. 

Barbed equivalence, written ~, is the greatest barbed bisimulation. We 
prove the following basic facts about barbed equivalence in Appendix D: 

Proposition 5 

(1) Barbed equivalence is reflexive, transitive, and symmetric. 

(2) Structural equivalence implies barbed equivalence. 

(3) Strong bisimilarity implies barbed equivalence. 

(4) Barbed equivalence is preserved by restriction. 

It follows from these facts, in particular, that if P ~ Q and P ^ P' then 
there exists Q' such that Q ^ Q' and P' ~ Q'. 

In order to establish a barbed equivalence, it is often convenient to use 
Milner's standard technique of "bisimulation up to" [Mil89, MPW92]. A 
barbed simulation up to ~ is a binary relation S C Proc x Proc such that 
P S Q implies: 

(1) for each barb /3, if P | /? then Q [ (3, and 

(2) if P P' then there exists Q' such that Q Q' and P' ~cS~ Q' 

where P' Q' means that there exist P" and Q" such that P' ~ P", 

P" S Q" , and Q" Q'. A barbed bisimulation up to is a relation S such 
that both S and are barbed simulations up to ~. 

More generally, a barbed simulation up to ~ and restriction is a binary 
relation S C Proc x Proc such that P S Q implies: 

(1) for each barb if P J, /? then Q i (3, and 

(2) if P — >^ P' then there exists Q' such that Q — > Q', and there exist P", 
Q", and names n such that P' ~ {vfi)P" , Q' ~ {vn)Q" , and P" S Q" . 
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A barbed bisimulation up to ~ and restriction is a relation »S such that both 
S and are barbed simulations up to ~ and restriction. 

Proposition 6 If S is a barbed bisimulation up to ~ and restriction, then 
<S C ~. j4 fortiori, if S is a barbed bisimulation up to ~, then <S C ~. 

The proof of this proposition is in Appendix D. 

Barbed equivalence is still only a stepping stone. One reason for this is 
that there are processes that arc barbed equivalent but not strongly bisimilar 
or testing equivalent, such as rn{n) .m{n) .0 and m(n).0, which have the 
barb m and no reactions. Moreover, barbed equivalence is far from being 
a congruence: it is not even closed under composition, as can be seen by 
comparing (m(n).m(n).0) | (m(x).O) and (m(n).O) | {m{x).0). 

5.2.3 Barbed congruence 

Barbed congruence, written ~, is the relation on Proc obtained by strength- 
ening barbed equivalence as follows: 

P r-^Q = yR£ Proc{P \ R'^ P\ R) 

Unlike barbed equivalence, barbed congruence implies testing equiva- 
lence. Therefore, whenever one wishes to prove a testing equivalence (for 
instance, a secrecy equation), it suffices to prove a barbed congruence. We 
establish the following properties of barbed congruence in Appendix D: 

Proposition 7 

(1) Barbed congruence is reflexive, transitive, and symmetric. 

(2) Barbed congruence is a congruence on closed processes. 

(3) Structural equivalence implies barbed congruence. 

(4) Strong bisimilarity implies barbed congruence. 

(5) Barbed congruence implies testing equivalence. 

The converses of the implications in parts (3), (4), and (5) do not hold, as 

we show next. 

That barbed congruence does not imply structural equivalence should be 
fairly evident. We prove it by first establishing a general property of barbed 
congruence. Let us say that a closed process P is stuck if and only if there 
is no a and A such that P A. In other words, P is stuck if and only if 
it has no reactions and no barbs. 
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Proposition 8 If P is stuck then P ~ 0. 

Proof Assuming that P is stuck, we need to show that P | i? ~ 0 | i? 
for any closed process R. This holds because any barb or reaction of P | i? 



since case M of {x}k in P is stuck unless M is a ciphertext encrypted 
with K. Since none of the rules of structural equivalence allows us to derive 
case M of {x}k in P = 0, barbed congruence does not imply structural 
equivalence. 

Second, barbed congruence does not imply strong bisimilarity. For in- 
stance, the processes {i'K)c{{M}k) and {i'K)c{{M'}k) are not strongly 
bisimilar, but they are barbed congruent (as we prove in Section 5.3). 

Third, testing equivalence does not imply barbed congruence. Setting 
r.P = (z/m)(m(*) | m{x).P) for m ^ fn{P), x ^ fv{P), we obtain the 
testing equivalence P ~ r.P. (We prove this equivalence in Appendix D.) 
On the other hand, P ~ r.P does not hold in general. Moreover, barbed 
congruence is more sensitive to the branching structure of processes than 
testing equivalence. 

5.3 The Underpinning Relation 

In order to reason about attackers and their knowledge, we introduce the 
underpinning relation. We say that xi:{—}p^, . . . ,Xn-{—}p„ underpins the 
agent A roughly if A is an agent that may contain occurrences of any of the 
variables xi, . . . , x„, but no occurrences of any of the names pi, . . . , p„. 
We write this: 



Our intention is that the variables Xi, . . . , Xn represent ciphertexts that 
an attacker may have intercepted encrypted under the keys pi, Pn, 
which the attacker does not have; A, or a subprocess of A, represents the 
attacker. (Here we take all keys to be names as this suffices for our present 
purposes; but the general case, where a key is an arbitrary term, could also 
be interesting.) 

Next we give a formal definition of the underpinning relation. A cipher 
environment E is a finite list of entries of the form }„, where x is a 



must be due to R alone. 



□ 



This proposition implies, for example: 
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variable and n is a name; all the variables must be distinct (but the names 
need not be). We let dom{E) be the set of variables mentioned in the entries 
in and keys{E) be the set of names mentioned in the entries in E. When 
E is a, cipher environment, M a term, and A an agent, we define: 

Eh M iff fv{M) C dom{E) and fn{M) n keys{E) = 0 
Eh A iff fv{A) C dom{E) and fn{A) D keys{E) = 0 

The relation h is the underpinning relation. 

When x:{—}n occurs in a cipher environment, we intend that x stands 
for a ciphertext of the form {M}„. An E-closure is a substitution that 

fixes all the variables in E to appropriate ciphertcxts; more precisely, an 
£^-closure is a substitution a of closed ciphertexts for variables such that 
E \- a is derivable from the following rules: 

(Closure 0) (Closure Under) 

E\-a x^domjE) fv{M) = $ 

0^0 E,x:{-}nha, {M}n/x 

where 0 represents the empty environment, the empty substitution, and the 
empty set, and a, {M}n/x is the extension of a that maps x to {M}„. 

To prove secrecy properties, we would like to show that a process un- 
derpinned by a cipher environment acts uniformly no matter which cipher- 
texts are substituted for the variables in the environment. At first sight 
one might think that ii E \- P, E \- a, and E h a', then Pa ~ Pa' on 
the reasoning that, since P cannot unwrap the ciphertexts in a or a' , it 
will behave the same whether closed by one or the other £^-closure. This 
would hold were it not for the presence of matching in the language. For 
example, E = x:{-}m,y-{-}m, P = [x is y] p{0), a = [{0}rn/x, {0}m/y], 
and a' = [{0}m/x, {l}m/y] meet the conditions above, but Pa may output 
0 whereas Pa' is stuck. Thus, P can act contingently on the ciphertexts 
even though it cannot decrypt them. However, if we insist that a and a' be 
injective (that is, x = y whenever xa = ya, and similarly for a') then we 
obtain Pa ^ Pa'. 

These informal arguments lead to the following results. 

Lemma 9 Suppose that E \- P and E\- a, and that a is injective. 

(1) // Pa > Q' then there is a process Q with E h Q, fv{Q) C fv{P), 
fn{Q) C fn{P), and Q' = Qa such that, whenever E \- a' and a' is 
injective, Pa' > Qa'. 
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(2) // Per A' then there is an agent A with E \- A, fv{A) C fv{P), 
fn{A) C fn{P), and A' = Aa such that, whenever E \- a' and a' is 

injective, Pa' Aa' . 

The proof of this lemma is in Appendix E. 

Proposition 10 Suppose that E h a and E h a', and that both a and a' 
are injective. Then S = {{Pa, Pa') \ E \- P} is a barbed bisimulation. 

Proof Consider any commitment Pa A'. By Lemma 9, there is an 
agent A with E h A, A' = Aa, and Pa' Aa'. Therefore, any barb of 
Pa is also exhibited by Pa' , and any reaction of Pa may be matched up to 

5 by Pa'. Therefore, <S is a barbed simulation. Indeed by symmetry it is a 
barbed bisimulation. □ 

This last proposition provides an easy way to prove some equivalences, 
as we now demonstrate with a small proof of a familiar secrecy property. 
We prove that, for any closed terms M and M': 

{uK)c{{M}k) ~ {i^K)c{{M'}k) 

By (Struct Extrusion) and Proposition 5, it suffices to prove that: 

c{{M}k) I R ~ c{{M'}k) I R 

for any R such that K ^ fn{R). But this follows from Proposition 10 with 
E = x:{-}k, P = c{x) \R,a= [{M}k/x], and a' = [{M'}k/x]. 

6 Proofs for the Examples 

Having defined the semantics of the spi calculus and developed some proof 
techniques, we revisit the examples of the first half of the paper. We prove 
some of the authenticity and secrecy properties claimed in those examples. 
Our proofs are not quite as easy as those of special-purpose formalisms 
(e.g., [BAN89]), but they have a somewhat clearer status. With a few further 
techniques and tools, proofs such as ours could well become routine. 

6.1 Proofs for the Example of Section 2.3.1 

The example of Section 2.3.1 is our simplest one; it relies on restricted 
channels. Its main definitions are: 

Inst{M) = {ucab){cab{M).0\cab{x).F{x)) 
Instspec{M) = {vcab){cab{M).0\cab{x).F{M)) 
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We can prove the authenticity property Inst{M) c± Instspec{M) by exhibit- 
ing a simple barbed bisimulation. 

Proposition 11 For any closed term M, Inst{M) ~ Instspeci^)- 
Proof The only commitments of Inst{M) and Instspec{MI) are: 
Inst{M) {i^cab){0 I F{M)) 

Inst spec 

It follows that Inst{M) Instspec{M), that Inst{M) ~ Instspec{M) (by 
Proposition 7(4)), and finally that Inst{M) ~ Instspec{M) (by Proposi- 
tion 7(5)). □ 

Turning to secrecy, we first prove a restricted version of the secrecy 
property claimed in Section 2.3.1: 

Lemma 12 Inst{M) ~ Inst{M') if F{x) is c(*), for any closed terms M 
and M'. 

Proof For any N, the only commitment of Inst{N) is: 

Inst{N) ^ {ucab){0 I c(*)) 

so clearly Inst{M) ~s Inst{M'). As in the previous proof, Inst{M) ~ 
Inst{M') follows. □ 

Now a little calculation yields the full secrecy property: 

Proposition 13 Inst{M) ~ Inst{M') if F{M) ~ F{M'), for any closed 
terms M and M' . 

Proof Let us write Inst{M, (x)c(*)) for Inst{M) in the special case where 
F{x) is c(*) (as in Lemma 12); note that Inst{M) and Instspec{M) are 
literally identical in this case. 

Assuming that c is a fresh name and y a fresh variable, we write t.F(N) 
for {uc){c{*) I c{y).F{N)). For any closed N, we have: 

{iyc){cAB{x).c{*) I c{y).F{N)) ~, cab{x).t.F{N) 

because the only commitments of these processes are: 

{uc){cAB{x).c{*)\c{y).F{N)) ^ {x)t.F{N) 
cab{x).t.F{N) ^ (x)T.F(iV) 
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Hence we obtain the equation: 



Instspec{N) ~ {uc){Inst{N, {x)c{*)) \ c{y).F{N)) (1) 

as follows: 

Instspec{N) = {ucab){cab{N).0\cab{x).F{N))) 

^ {^cab){cab{N).0 I cab{x).{t.F{N))) 

{r^CAB){cAB{N).0 I {uc){cab{x).c{*) I c{y).F{N))) 
= {^c){{ucab){{cab{N).0 I cab{x).c{*)) \ c{y).F{N)) 
= {uc){Inst{N,{x)c{*)) I c{y).F{N)) 

making use of the "r law" F{N) ~ r.F{N) (Proposition 35), and of the facts 
that testing equivalence is a congruence (Proposition 1) and that strong 
bisimilarity implies testing equivalence (Proposition 7). 

Finally, equation (1), Lemma 12, the authenticity property of Proposi- 
tion 11, and the assumption F{M) ~ F{M') justify the following calcula- 
tion: 

Inst{M) ~ Instspec{M) 

~ {i^c){Inst{M,{x)c{*)) I c{y).F{M)) 
~ {vc){Inst{M' , (x)c(*)) I c{y).F{M')) 

~ InstspeciM') 

~ Inst{M') 

□ 

6.2 Proofs for the Example of Section 3.2.1 

In the example of Section 3.2.1, the main definitions are: 

A{M) ^ cab{{M}k^,) 

B = CAB{x).case x of {y}KAB ^iv) 

Inst{M) = {iyKAB){A{M) \ B) 

Bspec{M) = CAB{x).case x of {y}KAB F{M) 

InstspeciM) = {vKab){A{M) I Bspec{M)) 

For the example of Section 2.3.1, which does not use cryptography, the 
proof of authenticity is simply a proof of strong bisimilarity. We cannot 
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proceed analogously for the example of Section 3.2.1, because in fact Inst{M) 
and Instspec{M) are not strongly bisimilar; instead, we prove that Inst{M) 
and Instspec{M) are barbed congruent. 

Proposition 14 For any closed term M, Inst{M) ^ Instspeci^)- 

Proof We prove that Inst{M) ~ Instspec{M)\ the claim then follows since 
barbed congruence implies testing equivalence according to Proposition 7. 

Suppose that R is some arbitrary closed process and M is some arbitrary 
closed term. Without loss of generality, we assume that Kab ^ fn{R). 
Below we show that: 

{caS{{M}k^^) \B\R) ~ {cab{{M}k^J I S,pec(M) I R) (2) 

By Proposition 5(4), it follows that: 

{uKab){cab{{M}k^^) \B\R) ^ {uKab){cab{{M}k^^) \ Bspec{M) \ R) 
Since Kab ^ fn{R), we have: 

Inst{M) I R = {i^Kab){cab{{M}k^s) \ B \ R) 

and similarly: 

Instspec{M) I R = {uKab){cab{{M}k^^) \ Bspec{M) I R) 

Since barbed equivalence respects structural equivalence (by Proposition 5) , 
we obtain: 

Inst{M) I R ^ Instspec{M) \ R 
By the definition of barbed congruence, we conclude: 

Inst{M) ~ InstgpeciM) 

It remains to give a proof of equation (2). For this proof, we let a = 
[{M}x^g/x] and introduce the following relation S: 

PSQ iff P = B\ Ria and Q = Bspec{M) \ Ria 
for some Ri such that x:{—}kab -^i 

Intuitively, the process Ria represents both A and an attacker that does not 
have Kab- We prove that 5 U ~ is a barbed bisimulation. This amounts to 
showing that if P S Q then P and Q can each match the other's barbs and 
reactions. 

If P S Q then there exists Ri such that P = B \ Ria and Q = BgpeciM) \ 
Ria, and x:{—}Kj^g l~ Ri- Hence the barbs of P are: 
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(1) P i CAB (from B), 

(2) P [(3 if Ria i /3. 

Clearly Q exhibits these barbs too. The reactions of P are: 

(1) if Ria ^ {vn){N)B! and P' = {un){case N of {y}KAB «^ ^iv) I R') 
then P ^ P', 

(2) if i?i(7 -U R' and P' = B | i?' then P ^ P'. 

(One can calculate these reactions via the commitment relation and Propo- 
sition 3. Without loss of generality, we assume that the names n are fresh.) 
We show that, in each case, Q can match these reactions of P. 

(1) One of the reactions of Q is: 

Q^Q' ^ {vn){case N of {y}KAB \ R!) 

Now it suffices to show that P' ~ Q' . By Lemma 9(2), there exists 
P; such that x:{-}kab ^ ^'i and R[a = {un){N)R! . Therefore, R'^ 
must have the form {un){No)Ro with N = Noa, R' = Roa, and both 
x-{-}kab ^0 and x:{-}kab -^0- Since x:{-}kab ^o, either 
N^a is {M}kab (if -^0 is x) or Noa is not a ciphertext encrypted with 
Kab. 

In the former case, we have: 

P' = {un){case {M}kab of {yjxAB in F{y) \ R!) 
= {un)[F[M) I P') 

= {un){case {M}kab of {y}KAB in F{M) \ R!) 

^ Q' 

In the latter case, decryption gets stuck, and by appeal to Proposi- 
tions 5 and 8 we get: 

P' = {iyn){case N of {yjxAB in F{y) \ R!) 
^ {vn){0 I R!) 

~ {vn){case N of {y}KAB in F{M) \ R!) 
^ Q' 

In both cases, we obtain P' ~ Q' by Proposition 5. 
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(2) One of the reactions of Q is: 

Q^Q' ^ BspeciM) I R' 

Now it suffices to show that P' Q', By Lemma 9(2), there exists 
R[ such that x:{-}kab ^ and R[a = R! . Therefore, {B \ R!) S Q', 
and hence P' =S= Q' . 

Almost identical reasoning shows that P can match the barbs and reactions 
of Q. We conclude that <S U ~ is a barbed bisimulation, so <S C ~. 
In order to derive equation (2), we let i?i = cab{x) \ R- We obtain: 

cab{{M}k^J \B\R = B\Ria 

S BspeciM) I Ria 

= Cab{{M}k^J I BspeciM) I R 

Equation (2) follows since 5 C ~ and by Proposition 5. □ 

For proving secrecy, we adopt the same general strategy as in Section 6.1. 
We first prove a restricted version of the secrecy property: 

Lemma 15 Inst{M) ~ Inst{M') if F{x) is c{*), for any closed terms M 
and M'. 

Proof Almost exactly as in the proof of Proposition 14, it suffices to prove 
the equation: 

{cab{{M}k,,) \B\R) ^ {cab{{M'}k,,) \B\R) (3) 

for any closed process R such that Kab ^ f^iR), and any closed terms M 
and M'. 

For the proof of this equation, we let a = [{M}kj^b/x] and a' = 
[{M'}kab/x], and introduce the following relation 5: 

PSQ iff P = B\ Ria and Q = B \ Ria' 

for some Ri such that x:{—}kab -^i 

The relation {iRia, Ria') \ .x:{— h Ri} is a barbed bisimulation, ac- 
cording to Proposition 10. We prove that 5 U ~ is a barbed bisimulation. 
This amounts to showing that ii P S Q then P and Q can each match the 
other's barbs and reactions. 

P S Q then there exists Ri such that P = B \ Ria and Q = B \ Ria, 
and x:{—}kj^b I~ Ri- Hence the barbs of P are: 
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(1) P i CAB (from B), 

(2) P[l3\iRia[p. 

Clearly Q exhibits these barbs too, since Ria and Ria' are in a barbed 
bisimulation. The reactions of P are: 

(1) if Ria ^ {vn){N)R! and P' = {vn){case N of {y}KAB in c{*) \ R!) 
then P ^ P', 

(2) if Ria R' and P' = B \ R' then P P'. 

(As in the proof of Proposition 14, we assume that the names n are fresh.) 
We show that, in each case, Q can match these reactions of P. 

(1) By Lemma 9(2), there exists R'l such that x:{—}kab ^ ^'i' — 
{vn){N)R\ and Ria' ^ {un){NQa')RQa' . Therefore, R'^ must have 
the form {un){NQ)RQ with N = N^a, R' = Roa, and both x:{ — }kab 
A'o and x:{—}kab ^ -^o- Since Ria' {vn){NQa')RQa' , we have: 

Q ^ Q' = {un){case Noa' of {y}KAB | Roa') 

Now it suffices to show that P' ~ Q'. Since x:{—}kab ^ -^O) either 
Noa and iVocr' are {M}kab respectively (if No is a;) or 

A^oc and Noa' are not ciphertexts encrypted with Kab- 

In the former case, we have: 

P' = {un){case {M}kab of {y}KAB «^ ^i*) I -^0 
= (i/n)(c(*) I R') 
= {vn){c{*) I Roa) 
~ {un){c{*) I i?oc') 

= {iyn){case {M'}kab of {vjKAB «^ | i^oo"') 
^ Q' 

The step (i/n)(c(*) | R') ~ {vn)ic{*) \ Roa') is justified by Proposi- 
tion 10, since x:{ — }kab ^ {vn){c{*) \ Ro). 

In the latter case, decryption gets stuck, and by appeal to Proposi- 
tions 5 and 8 we get: 

P' = {iyn){case N of {y}KAB ^(*) I -^0 
~ (z/n)(0 I R') 
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= {un){0 I Roa) 
~ (z/n)(0 I Roa') 

~ {un){case Nqg' of {y}KAB | Rqg') 

^ Q' 

The step {vn){Q \ R') ~ (i^n)(0 | -Rqc') is justified by Proposition 10, 

since x:{—}kab ^ {'^n){0 \ Rq). 

In both cases, we obtain P' ~ Q' by Proposition 5. 

(2) By Lemma 9(2), there exists R'l such that x:{—}kab ^ -^'i*^ = 
and Ria' — ^ ^icr', so: 

Q^Q' = B\ R[a' 
Clearly, | R') S Q', and hence P' =S= Q'. 

The proof that P can match the barbs and reactions of Q is symmetric. We 

conclude that 5 U ~ is a barbed bisimulation, so 5 C ~. 

In order to derive equation (3) we let Ri = cab{x) | R- We obtain: 

cab{{M}kab) \B\R = B\Ria 

S B I Ria' 

= cX^{{M'}kab)\B\R 
Equation (3) follows since 5 C ~ and by Proposition 5. □ 

The full secrecy property follows. 

Proposition 16 Inst{M) ~ Inst{M') if F{M) ~ F{M'), for any closed 
terms M and M'. 

Proof The proof is exactly analogous to that of Proposition 13, and relies 
on Proposition 14, Lemma 15, and the equation: 

InstspeciN) ~ {uc){Inst{N, (x)c(*)) | c{y).F{N)) 

□ 
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6.3 Proofs for the Example of Section 3.2.2 

The definitions of the example of Section 3.2.2 can be rephrased as follows: 



A{M) 


A 


{vKab){cas{{Kab}kas)- 


cab{{M}kas)) 


S 


A 


CAs{x).case x of {y}KAs 


in c^{{y}KsB) 


B 


A 


csB{x).case x of {y}KsB 


in B'{y) 


B'iy) 


A 


CAB{z).case z of {'w}y in 


F{w) 


BspeciM) 


A 


csB{x).case x of {y}KsB 


in B',p,,{M,y) 


B'spec{M,y) 


A 


CAB{z)-case z of {w}y in 


F{M) 


Inst{M) 


A 


{uKas){i^Ksb){A{M) I S 


\B) 


Instspec{M) 


A 


{uKAs){r^KsB){A{M) \ S 


1 BspeciM)) 



The proof of authenticity uses the same techniques as that of Section 6.2, 
but is more complex. 

Proposition 17 For any closed term M, Inst{M) ~ Instspec{M). 

Proof Since barbed congruence implies testing equivalence according to 
Proposition 7, it suffices to show that the two processes are barbed congru- 
ent, that is, that: 

Inst{M) I R ^ Instspec{M) \ R (4) 

for any closed process R. Without loss of generality, we assume that the 
names Kas, Ksb, and Kab do not occur free in R. 
Below, we construct a relation 5 C ~ that pairs 

S\B\ cas{{Kab}kas)-^{{M}kab) I R (5) 

and 

S I BspeciM) I cas{{Kab}kas)-cab{Wkab) I R (6) 

Therefore, these processes are barbed equivalent. Since barbed equivalence 
is closed under restriction (by Proposition 5(4)), it follows that 

{uKAs){ryKsB){ryKAB)iS \ B \ cas{{Kab}kas)-cab{{M}kab) I R) 

and 

{uKas){i^Ksb){i^Kab){S I BspeciM) I cas{{Kab}kas)-cab{{M}kab) I R) 
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are barbed equivalent. Equation (4) now follows from the facts that these 

two processes arc structurally equivalent to Inst{M) \ R and to Instspec{M) \ 
R respectively (since the names i^yis, KgB, and Ky\B do not occur free in 
R), and that barbed equivalence respects structural equivalence (by Propo- 
sition 5). 

It remains to define the relation S that pairs the processes (5) and (6). 
For this purpose, we let environment E and substitution a be as follows: 

E = Xi:{-}kas'X2'{-}ksb^X3-{-}kab 

(T = [{Kab}kas/xiA^Ab}ksb/x2,{M}kab/x3\ 

and we set: 

S = <SiU<S2U<S3 

where: 

51 = {{S\B\ Ria, S I Bspec{M) \ Ria) 

I £; h i?i and fv{Ri) C {xi,X3}} 

52 = {{B\R2a,Bspec{M)\R2a) 

\EhR2} 

53 ^ {{B'{Kab)\Rzct,B'^^^^{M,Kab)\RzC7) 

\EhR3} 

The relation Si pairs the processes (5) and (6), since we can take Ri to 
be cXsixi) .cXEixz) \ R. Therefore, the relation S pairs the processes (5) 
and (6), as desired. 

Intuitively, each relation Si concerns a state (or class of states) reachable 
by the participants in the protocol. Each R^a represents an observer in 
possession of some or all of the three messages sent by the participants. 
In some cases, some of the participants are viewed as part of the observer 
process. 

• S\ concerns the initial state and states reachable when the observer 
receives the messages {Kab}kas '^^ {^}kab from A. 

• S2 concerns the states reachable when S receives a message on cas- 
There is no need to include the residue of S explicitly. In particular, 
the residue csb{{Kab}ksb) be considered part of the observer 
process i?2<7 in ^2. 
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• (S3 concerns the states reachable when B receives {Kab}ksb ^sb- 
(In the definition of S, there is no need to consider the states reachable 
when B receives a message on cab, a-s at that point the resulting 
processes are evidently barbed equivalent.) 

The condition E ^ Ri implies that none of the keys Kas, ^^SB, or Kab 
occurs in Ri. It also implies that fv{Ri) C {xi,X2,X3}. Depending on 
whether variable xi, X2, or X3 occurs free in Ri, the observer process Ria 
possesses ciphertext {Kab}kas^ {Kab}ksb^ {^}kab respectively. 

To complete the proof, it suffices to establish that 5 C ~. For this pur- 
pose, we invoke Proposition 6, and show that 5uA is a barbed bisimulation 
up to ~, where A is the identity relation on closed processes. In light of 
Proposition 5(1), we show, for each i € 1..3, that P Si Q implies: (1) that 
any barb exhibited by P is also exhibited by Q, and vice versa, and (2) that 
for any reaction P ^ P' there is Q' with Q ^ Q' and either P' Q' 
or P' ~ Q', and vice versa. Condition (1) is obviously true, since P Si Q 
implies that P and Q have almost identical structure. To show condition 
(2), we consider each Si in turn. 

• Suppose P Si Q, that is, 

P = S\B\Ria 

Q = S\ BspeciM) I i?i(7 

with E h Ri and fv{Ri) C {.xi, .T3}. There are four ways in which a re- 
action P ^ P' may be derived: (1) S receives the message {Kab}kas 
from Ria; (2) S receives some other message from Ria; (3) B receives 
some message from Ria; (4) R^a reacts on its own. 

In case (1), P' is: 

csb{{Kab}ksb) \ B \ C 

where C is a residue of Ria such that Ria {i'){{Kab}kas)^- 
Lemma 9(2), C is of the form R[a with E \- R[. Thus, P' is: 

csb{{Kab}ksb) I B I R'la 

For Q', we take: 

csb{{Kab}ksb) I Bspec{M) I R[a 
We obtain Q ^ Q' and P' ~<S2~ Q' by letting R2 be csb{x2) \ R'l- 
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In case (2), we invoke Lemma 9(2) again, showing that the message 
received by S cannot be a ciphertext encrypted under Kas- That 
lemma implies that if Ria {un){N)C (where we may assume that 
the names n are fresh) then there is a process R'l and a term N\ with 
E h B!-^, E h Ni, C = R[a, and N = Nia. So N cannot be of the 
form {N'}kas unless N' is Kab- Therefore, S gets stuck, and P' is 
barbed equivalent to: 

B I {un){R[a) 

by Propositions 8 and 5. For Q', we take: 

Bspec{M) I {un){R[a) 

We obtain Q ^ Q' and P' ~<S2~ Q' by letting i?2 be {un)R[ and 
noting that E h R'^ implies E h {i'n)R[. 

In case (3), we invoke Lemma 9(2) again, showing this time that the 
message received by B cannot be a ciphertext encrypted under Ksb- 

In this case, that lemma says that if Rici {i'n){N)C (where we 
may assume that the names n are fresh) then there is a process Rl^ and 
a term Ni with E h E\- Ni,C = R[a, and N = Nia; in addition, 
fv{Ni) C fv{Ri), and hence X2 ^ fv{Ni). So A'^ cannot be of the form 
{^'}ksb- Therefore, B gets stuck, and P' is barbed equivalent to: 

S I {un){R[a) 

by Propositions 8 and 5. For Q', we take: 

S I {un){R[a) 
We obtain Q Q' and P' ^ Q'. 

In case (4), P' has the form S \ B \ C where, by Lemma 9(2), C = R[a 
for some R[ such that E h R[ and fv{R[) C /t;(Pi). Thus, P' is: 

S\B\ R[a 

For Q', we take: 

S I S,pec(M) I R[a 
We obtain Q ^ Q' and P' ^<Si^ Q'. 

• Suppose P ^2 (5, that is, 

P = B \ R2(T 

Q = Bspec{M) I R2a 
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with E \- R2. There are three ways in which a reaction P ^ P' may 
be derived: (1) B receives the message {Kab}ksb from R20-, (2) B 
receives some other message from -R2C; (3) R2(t reacts on its own. 

In case (1), P' is: 

B'{Kab) I C 

where C is a residue of R2(t such that R2cr {iy){{Kj{B}KsB)^- 
Lemma 9(2), C is of the form R'2a with E h i?^. Thus, P' is: 

B'{Kab) I i?'2<7 

For Q', we take: 

B',p,,{M,Kab)\B!2(^ 

We obtain Q ^ Q' and P' ~<S3~ Q' by letting R3 be i^'s- 

In case (2), we invoke Lemma 9(2) again, showing that the message 
received by B cannot be a ciphertext encrypted under KgB- That 
lemma implies that if R2(t {ufi){N)C (where we may assume that 
the names n are fresh) then there is a process R'2 and a term N2 with 
E \- R'2, E \- N2, C = R'2a, and N = N2a. So N cannot be of the 
form {N'}Ksg unless N' is Kab- Therefore, B gets stuck, and P' is 
barbed equivalent to [vn)[R'2a) by Propositions 8 and 5. For Q' , we 
take (i/n)(i?'2fT). We obtain Q ^ Q' and P' ~ Q' . 

In case (3), P' has the form i? | C where, by Lemma 9(2), C = R'2Cf 
for some i?2 such that E \- R2. Thus, P' is: 

5 I R'2a 

For Q', we take: 

We obtain Q ^ Q' and P' 
• Suppose P S3 Q, that is, 

P = B'{Kab) I Rz(J 

Q = B',j,^^{M,Kab)\R3(t 

with E ^ R3. There are three ways in which a reaction P ^ P' may be 
derived: (1) B receives the message {Mjxjig from Rsa; (2) B receives 
some other message from R^a; (3) Rsa reacts on its own. 



Bspec{M) I R'2a 
~(S2~ Q'. 
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In case (1), P' = F{M) | C, where C is a process such that Rsa 
{u){{M}kab)C. We take Q' to be F{M) \ C, obtaining Q ^ Q' and 
P' ^ Q. 

In case (2), we invoke Lemma 9(2) again, showing that the message 
received by B cannot be a ciphertext encrypted under Kab- That 
lemma implies that if i?3(T {yn){N)C (where we may assume that 
the names n are fresh) then there is an agent i?3 and a term TVs with 
E h P'g, £■ h A^3, C = i^gcj, and N = N^a. So N cannot be of the 
form {iV'jx^g unless N' is M. Therefore, B gets stuck, and P' is 
barbed equivalent to (i^n)(i?3(T) by Propositions 8 and 5. For Q' , we 
take (z/n)(i?'3C7). We obtain Q ^ Q' and P' ~ Q'. 

In case (3), P' has the form B'{Kab) \ C where, by Lemma 9(2), 
C = R'^a for some B!^ such that E h P^. Thus, P' is: 

B'{Kab) I B!^<J 

For Q', we take: 

B',^,,{M,KAB)\B!^cy 
We obtain Q ^ Q' and P' ~53~ Q'. 

We can show by similar reasoning that if Q — > Q' then there is P' with 
P ^ P' and either P' ^S^ Q' or P' ~ Q'. □ 

As before, we prove a simplified secrecy property as a step towards the 
full secrecy property. 

Lemma 18 Inst{M) c± Inst{M') if F{x) is c{*), for any closed terms M 
and M'. 

Proof Exactly as in the proof of Proposition 17, it suffices to exhibit a 
relation 5 C ~ that pairs 

S\B\ cas{{Kab}kas)-^{{M}kab) I R (7) 

and 

S\B\ cas{{Kab}kas)-^{W}kab) I R (8) 

where R is any closed process such that the names Kas, Ksb, and Kab do 
not occur free in R. 
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We can obtain such a relation via the following definitions: 

a = [{KAB}KAs/^lAKAB}KsB/^'idM}KAB/x3] 

a' = [{Kab}kas/^iAKab}ksb/x2,W}kab/x3] 

51 = {{S \ B \ Ria, S \ B \ Ria') 

\Eh Ri and fv{Ri) C {xi.xs}} 

52 = {{B\R2a,B\R2a') 

\E\-R2} 

53 ^ {{B'{KAB)\R3(r,B'{KAB)\R3(r') 

\EhRs} 

S = <SiU<S2U<S3 

The relation Si pairs the processes (7) and (8), since we can take Ri to be 
cas{xi).cab{x3) I R, as before. Therefore, the relation S pairs the processes 

(7) and (8). 

Moreover, via the same case analysis as in Proposition 17, and a broadly 
similar argument, we obtain that <S C ~. We show, for each i G 1..3, that 
P Si Q implies: (1) that any barb exhibited by P is also exhibited by Q, and 
vice versa, and (2) that for any reaction P ^ P' there is Q' with Q ^ Q' 
and either P' Q' or P' ^ Q', and vice versa. Condition (1) is true, 

since P Si Q implies that P and Q have almost identical structure; the 
differences in substitutions do not affect the barbs of P and Q. To show 
condition (2), we consider each Si in turn. 

• Suppose P Si Q, that is, 

P = S\B\Ria 
Q = S\B \ Ria' 

with E \- Ri and fv{Ri) C {xi, X3}. There are four ways in which a re- 
action P ^ P' may be derived: (1) S receives the message {Kab}kas 
from Ria; (2) S receives some other message from Ria; (3) B receives 
some message from Ria; (4) Ria reacts on its own. 

In case (1), P' is: 

csb{{Kab}ksb) \B\C 

where C is a residue of Ria such that Ria {i'){{Kab}kas)^- 
According to Lemma 9(2), {i'){{Kab}kas)^ written in the 
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form {u){Nia)R[a with E \- R[ and E \- N^. Thus, P' is: 



csb{{Kab}ksb) I I R'lCr 

For Q', we take: 

csb{{Kab}ksb) I ^ I RW 
By Lemma 9(2), Ria' ^ {u) {Nia') Ria' . Since Nia is {-fi'Aslftr^s, we 

have that Nia' is also {Kab}kas- Hence, Ria' (i/)({Er^B}/<:As) 
Ria', so (5 ^ Q'. Finally, we obtain P' ~52~ Q' by letting i?2 be 

Csb{x2) I -R'l- 

In case (2), we invoke Lemma 9(2) again, showing that the message 
received by 5" cannot be a ciphertext encrypted under Kas- That 
lemma implies that if Ria {un){N)C (where we may assume that 
the names n are fresh) then there is a process R'l and a term A^i with 
E \- R'^, E \- Ni, C = R'^a, and = Nia. So cannot be of the 
form {N'}kas unless N' is Kab- Therefore, S gets stuck, and P' is 
barbed equivalent to: 

B I {i^n){R'^a) 
by Propositions 8 and 5. For Q', we take: 

B I {un){R'^a') 

By Lemma 9(2), Ria' ^ {un){Nia')R'^a'; in addition, Nia' cannot 
be of the form {-/V'}a"^s either. Hence we obtain Q — > Q'. Finally, we 
obtain P' ~<S2~ Q' by letting R2 be (z/n)i?i and noting that E h i?i 
implies E h {yn)R'i. 

In case (3), we invoke Lemma 9(2) again, showing this time that the 
message received by B cannot be a ciphertext encrypted under Ksb- 
In this case, that lemma says that if Ria {i'n){N)C (where we 
may assume that the names n are fresh) then there is a process i?^ and 
a term Ni with E \- R'^^, E \- Ni, C = R'^a, and N = Nia; in addition, 
fv{Ni) C fv{Ri), and hence X2 ^ fv{Ni). So A'' cannot be of the form 
{^'}ksb- Therefore, B gets stuck, and P' is barbed equivalent to: 

S I {i^n){R'ia) 

by Propositions 8 and 5. For Q', we take: 

S I {un){R'ia') 
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By Lemma 9(2), Ria' {un){Nia')R[a'; in addition, Nia' cannot 
be of the form {N'}ksb either. Hence we obtain Q Q'. Finally, we 
obtain P' ~ Q' from Proposition 10, since a and a' are injective, P' 
is {S I {un)Ri)a, Q' is {S \ {vn)R!i)a' , and barbed equivalence is the 
greatest barbed bisimulation. 

In case (4), P' has the form S \ B \ C where R\a — ^ C and, by 
Lemma 9(2), C = R'^a for some i?i such that E h R!^ and fv{R!{) C 
fv{Ri). Thus, P' is: 

S I 5 I R!^a 

For Q', we take: 

S\B \ R[a' 

By Lemma 9(2), Ria' R[a', so Q ^ Q' . Finally, we have 

P' ^Si^ Q'. 

• Suppose P S2 Q, that is, 

P = B \ R2(J 
Q = B\R2a' 

with E h R2. There are three ways in which a reaction P ^ P' may 
be derived: (1) B receives the message {Kab}ksb from -R2C; (2) B 
receives some other message from -R2C; (3) R2cy reacts on its own. 

In case (1), P' is: 

B'{Kab) I C 

where C is a residue of i?2<7 such that R20' {v){{Kab} Ksb)^ ■ 
According to Lemma 9(2), {i'){{Kab}ksb)^ written in the 

form {v){N2a)R'2(T with E \- R!2 sjid E \- N2. Thus, P' is: 

B'{Kab) I R!2(^ 

For Q', we take: 

B'{Kab) I R!2<^' 

By Lemma 9(2), i?2cr' {v){N2a')R2u' . Since Ar2cr is {i^Asji^sB, we 

have that N2a' is also {if^iBji^gg. Hence, R2(y' {iy){{KAB}KsB) 
R2(t', soQ^ Q'. Finally, we obtain P' ~<S3~ Q' by letting R3 be R'2. 

In case (2), we invoke Lemma 9(2) again, showing that the message 
received by B cannot be a ciphertext encrypted under Ksb- That 
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lemma implies that if i?2C {vn){N)C (where we may assume that 
the names n are fresh) then there is a process i?2 a term N2 with 

E ^ E ^ N2, C = /?2cr, and N = N2(J. So N cannot be of the form 
{N'}ksb unless N' is Kab- Therefore, B gets stuck, and P' is barbed 
equivalent to (z/n)(i?20") by Propositions 8 and 5. For Q', we take 

(w)(i?'2(7')- By Lemma 9(2), i?20-' ^ {un){N2a')R'2a'; in addition, 
N2cr' cannot be of the form {-/V'ji^s^ either. Hence we obtain Q Q' . 
Finally, we obtain P' Q' from Proposition 10, since a and a' are 
injective, P' is {{i'n)B!2)a, Q' is ((z^n)i?2)c', and barbed equivalence 
is the greatest barbed bisimulation. 

In case (3), P' has the form B \ C where C and, by Lemma 

9(2), C = for some such that E h i?^. Thus, P' is: 

B I R'2a 

For Q', we take: 

B I i?2Cj' 

By Lemma 9(2), R2a' — ^ -^2"^', so Q ^ Q'. Finally, we have 
P' ^<S2~ Q' . 

• Suppose P S3 Q, that is, 

P = B'{Kab) I Rz<T 
Q = B'{Kab) I R3CT' 

with E \- R3. There are three ways in which a reaction P ^ P' may be 
derived: (1) B receives the message {Mj^^^ from Rsa; (2) B receives 
some other message from Rsa; (3) R^a reacts on its own. 

In case (1), P' = c{*) \ C, where C is a process such that R^a 
{iy){{M}K^B)C. According to Lemma 9(2), (z/)({M}/^^^)C can be 
written in the form (i/)(A'3cr)i?3(T with E h R'^ and E \- N3. In ad- 
dition, R^a' {iy){{M'}K^jj)R'^a' , since N3 must be X3. Hence, 
we take Q' to be c(*) | R'^a', obtaining Q — > Q'. Finally, we ob- 
tain P' ~ Q' from Proposition 10, since a and a' are injective, P' is 
(c(*) I -R3)cr, Q' is (c(*) I R'3}(t', and barbed equivalence is the greatest 
barbed bisimulation. 

In case (2), we invoke Lemma 9(2) again, showing that the message 
received by B cannot be a ciphertext encrypted under Kab- That 
lemma implies that if R^a {vn){N)C (where we may assume that 
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the names n are fresh) then there is an agent R'^ and a term 7V3 with 

E h R'^, E\- N3,C = R'^a, and N = iVgcr. So N cannot be of the form 
unless A'^' is M. Therefore, B gets stuck, and P' is barbed 
equivalent to {vn)[R'^a) by Propositions 8 and 5. For Q', we take 

{vn){R!3a'). By Lemma 9(2), R^a' ^ {i'n){N3a')R'2a'; in addition, 
TVscr' cannot be of the form {N'}kj^b either. Hence we obtain Q Q'. 
Finally, we obtain P' ~ Q' from Proposition 10, since a and a' are 
injcctive, P' is {{i'n)R'^)a, Q' is {{i'n)R!^u' , and barbed equivalence 
is the greatest barbed bisimulation. 

In case (3), P' has the form B'{Kab) \ C where R^a C and, by 
Lemma 9(2), C = Rl^a for some R'^ such that E h R!^. Thus, P' is: 

B'{Kab) I R!3(t 

For Q', we take: 

B'{Kab) I i?3fT' 

By Lemma 9(2), i^acr' R'^f^' 1 so Q ^ Q'. Finally, we have 

P' ~tS3~ Q' . 

By symmetry, we have also a proof that if Q ^ Q' then there is P' with 
P ^ P' and either P' Q' or P' ~ g'. □ 

The full secrecy property follows. 

Proposition 19 Inst{M) ~ Inst{M') if F{M) ~ F{M'), for any closed 
terms M and M' . 

Proof The argument is similar to that in Proposition 13. Given the 
authenticity property (Proposition 17) and the specialized secrecy property 
(Lemma 18), it is enough to prove: 

Instspec{N) ~ {uc){Inst{N,{x)c{*)) \ c{y).F{N)) 

for ah N. □ 

6.4 Formalization of the Attack of Section 3.2.3 

Here we prove that the authenticity equation discussed in Section 3.2.3 does 
not hold. We do this by formalizing the replay attack sketched there. 

The definitions of Sys and SySg^^^ are given in Section 3.2.3. We prove: 
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Proposition 20 /// is {i, j, M), I' is {i, j, M'), and M and M' are different 
closed terms, then there exists F such that Sys{I,I') Sys gp^{I , I') . 

Proof We define F{x, y, z) as c{z) where c is a new name. According 
to the definition of testing equivalence, it suffices to construct a test {R, /?) 
such that Sys{I,I') passes {R,0) but Sys gpg^{I , I') does not pass {R,(3). 

For (3, we take d where d is a name that does not occur in SySgp^{I, I'). 
For R, we take: 

cs{u).cs{u).cs{u).Cj{x).c]{x).c]{x).c{y).c{z).[y is z] d{*) 

This process dupUcates a message u sent on cs and a message x sent on 
Cj, receives two messages y and z through c, and finally sends a message 
on d if y and z are equal. Intuitively, this process can be understood as an 
attacker that replays an encrypted key u and some encrypted data x from 
i, and signals on d if the replay attack has worked, that is, if two identical 
messages y and z appear on c. 

The parallel composition of R with Sys{I,I') may eventually exhibit 
d, because y and z may both equal M or M' , as a result of the message 
duplications on cs and cj. Therefore, Sys{I,I') passes {R,P). 

In contrast, the parallel composition of R with SySgpg^{I,I') never ex- 
hibits d, because each of M and M' will be transmitted at most once on c, 
so y and z cannot match. Therefore, SySgp^{I,I') does not pass {R,P). □ 

6.5 Proofs for the Example of Section 3.2.4 

As in Section 3.2.4, we consider a system with a server S and n other princi- 
pals, which we call 1,2,.... We let Prn = l..n, and we use the metavariables 
i and j to range over Prn. Each principal has an input channel; these input 
channels have the names ci, C2, . . . , c„ and cs- The server shares a pair of 
keys with each other principal: principal i uses key Kis to send to S and key 
Ksi to receive from S, for each i G Pm. The system is parameterized by 
a list of instances, Ii, . . . , /„, indexed by the set Ins = l..m, and a single 
abstraction F such that F{i,j,M) is a process for any instance {i,j,M). 
We use the metavariable k to range over Ins. 
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For an instance I = M), the informal description of the protocol is: 



Message 1 i — > 5 : i on 

Message 2 S ^ i : Ns on Cj 

Message 3 i ^ S : i,{i,i, j, Kab, Ns}Kis on cs 

Message 4 S ^ j : * on Cj 

Message 5 j — > 5 : Nb on cs 

Message 6 S ^ j : {S, i, j, Kab, ^sI^s^ on Cj 

Message 7 i ^ j : i, {-^j/f^s on cj 



We rephrase the formal description of the protocol through the following 
definitions: 

Al{i,j,M) ^ c^{£)\A2{i,j,M) 
A2{i,j,M) = Ci{x).{iyKAB) 

{cs{{h{hh3\KAB,x}Kis)) I Cj{{i,{M}Kj,B))) 

SI ^ cs{x).Y{i^p,,[xisi}{vNs){cH{Ns)\S2{i,Ns)) 
S2{i,N) = cs{x).let (yi,y2) = x in 

[yi isi] case y2 of {zi, Z2, Z3, Z4, Z5}k,s 

rijGPrni^l i] [Z2 IS l] [z3 IS j] [Z5 IS N] S3{i,j, Z4) 

S3{i,j,K) ^ cj{*)\S4{i,j,K) 

S4ii,j,K) = cs{x).Cj{{S,i,i,K,x}Ksj) 

Bl{j,F) ^ Cj{x).{uNB){MNB)\B2{j,F,NB)) 

B2 {j, F, N) = Cj {x).case X of {yi,y2,y3,y4., y5}Ksj in 

YliePrniy^ is S] [y2 is i] [ya is j] [yb is N] B3{i,j, F, y^) 

B3{i,j,F,K) = Cj{x).let (2/1,1/2) = x in 

[yi is i] case 2/2 of {z}k in F{i,i, z) 

Sysih,...,Im) = iiyKis'^''ni'^Ksj^^''n 

iUkeins^Hlk) I !5i I UjePrn'-BlU,F)) 

where (iyK,5*^''™)(z^i^Si^'^''™) means (^.^15) • . • {i^Kns){iyKsi) • • . {uKsn)- 
We rephrase the specification as well: 

Alspec{ii,j,M),F) ^ {up){Al{i,j,p)\p{x).F{i,i,M)) 

Fspecii,j,P) = P{*) 

inkeInsAlspec{Ik,F) I \S1 I UjePm^-BHj,Fspec)) 
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In this section, we prove the stated authenticity and secrecy properties, 
namely: 

Sys{Ii, ...,Irn)^ SyS,pg^{Il, Im), 
for any instances /i, . . . , I^- 

Sys{Ii, ...,Irn)- Sys{Ji, .... Jjn), 

if each pair (/i, Ji), . . . , (I^, Jm) is indistinguishable. 
Proposition 21 For any instances Ii,. . . , Im, 

) Im) 

Proof Let Ii, . . . ,Im be a list of instances, with Ins = l..ni. We begin 
by reducing the problem to one involving finite compositions rather than 
replications, and give a bisimulation proof after this reduction. 

First, we group the replications in Sys{Ii, . . . , Im) and SySg^^^^h, . . . , Im) 
using Proposition 30: 

Sysih,..., Im) ^ iuKis'^''m'^Ksj^^''n (9) 

iUkelnsAlilk) I 

\{S1 \UjePmBlU,m 
Sys,p,,{h,...,Im) ^ {uK,s'^''n{^Ks,^^''n (10) 

{Ylk&InsAlspec{Ik,F) I 

\{si I n Bl{j,F,pec))) 

Further, we apply Proposition 29 to the right-hand sides of (9) and (10); 
Proposition 29 implies that, to prove Sys{Ii, . . . , Im) — SySgp^{Ii, . . ., Im), 
it suffices to prove: 

fSys{h,...,Im,r) ::^fSySgp^{Ii,...,Im,r) (11) 

for all r > 0, where 

fSysih,...,Im,r) = {uKis'^^'mi^Ksj^''''"') 

iYlkelnsAl^k) I 

nsel..r(-5i \ Y{^^PrnBl{j,F))) 

fSys,p,,{h,...,Im,r) ^ (z./^,5*^^™)(^^i^5,^'^^™) 

iUkelns ^lspec{Ik,F) I 

Us^l.ASl \njePmBl{j,Fspec))) 

Thus, we have eliminated replications. 
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Next we reformulate (11) by pulling restrictions to the top level, and 
inserting certain additional r steps. For this purpose, we use the following 
auxiliary definitions: 

Al'iii,j,M),K) ^ cs{e)\A2'iii,j,M),K) 

A2'{{iJ,M),K) ^ Ci{x).{cs{{i,{i,i,i,K,x}K,s))\cj{{h{M}K))) 

S1'{N) ^ cs{x).UiePm[^iH]{cl{N)\S2{i,N)) 

Bl'{j,F,N) ^ Cj{x).{cs{N)\B2{j,F,N)) 

Lemmas 36 and 37 yield: 

A1{I) ~ {vKab)A1'{I,Kab) (12) 

A2{I) ~ {vKab)A2\I,Kab) (13) 

SI ~ {vNs)Sl'{Ns) (14) 

Bl{j,F) ~ {uNB)Bl'{j,F,NB) (15) 

Moreover, equation (12) yields: 

AU^,Uhj,M) ~ {uKAB){i^p){Al'{{i,j,p),KAB)\p{x).F{i,i,M)) (16) 

We also introduce the sets of names: 

{pk\k £ Ins} 
{Kabu I k G Ins} 
{Nss I s G l..r} 
{Nsji I 3 e Pm kte l..r} 

All the names listed are assumed distinct and fresh. Given that t.F is short 
for the abstraction (x)r.F(x), we obtain: 

fSysih,...,Im,r) c± (zyi^:,5^e^™)(z^if5,-^'^^"^) (17) 

{l^KABk '=^^"*)(z^A^Ss ''^^■■'^){l^NBjt je^'™&sGl..r) 
iUk^InsAl'ilk^KABk) I n.el..r^-^'(^5.) | 
UjePrnllsel..rBl'{j,T.F,NBjt)) 

fSys,p,,{h,...,I^,r) ~ {uK,s'^''m'^Ksj^^''"%^Pk''^'n (18) 

{uKABk ''^''^XuNss '^^■■n{i^NBjt'^''"'^'^^-n 

iiUkeIns^i'iihj,Pk),KABk) 

where 4 = {i,j,M)) \ 
{UkGlnsPk{x).F{i,l,M) 

where 4 = {i,j,M)) \ 
Usei..rSl'iNss)\^ 

YljePm risel-.r B^'iJy Fspec, ^Bji)) 
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The proof of (17) and (18) is in three steps. First, we expose all the re- 
strictions in the processes fSys{Ii, . . . , Im, r) and fSys g^^^^Ii^ . . . , Im, r) by 
rewriting with equations (12), (13), (14), (15), and (16). Second, we use the 
rules of structural equivalence to group all the restrictions at the top level of 
the processes. Third, we use the r law (r.P c± P, Proposition 35) to insert 
a T step before each call to F in fSys{Ii, . . . , Im, r). (The r step is useful 
because it corresponds to the interaction on one of the p^s that precedes 
each can to F in fSys^^^ih, ...,Im, r).) 

Thus, we have reduced the property claimed in this proposition to equa- 
tion (11), and in turn have reduced this equation to the equivalence of 
the right-hand sides of equations (17) and (18), for an arbitrary number 
r > 0. To prove this equivalence, we invoke Proposition 7, and show that 
when composed with any closed process R the two right-hand sides of (17) 
and (18) are barbed equivalent. Without loss of generality we may assume 
that none of the names bound in the outermost restrictions occurs free in 
R. Up to structural equivalence, and therefore barbed equivalence, we may 
extrude the scope of those restrictions to include R. Since barbed equiva- 
lence is preserved by restriction (Proposition 5(4)), it suffices to prove that 
the following two processes are barbed equivalent: 

UkeInsAl'{Ik,KABk)\ (19) 
nsei..rSl'{Nss) I UjePmnsel..rBl'{j,T.F,NBjt) I R 

and 

(^^p^kelns^ (20) 

{{Uk&ins^i'{{hj^Pk),KABk) where 4 = {i,j,M)) | 
iUkeinsPk{x).F{i,i,M) where 4 = {i,j,M)) \ 

for any closed R such that no Kis, Ksj, K^Bk, ^Ss, ^Bjti or occurs 
free in R. (We have removed most of the outermost restrictions only for the 
sake of notational simplicity. On the other hand, it is necessary to retain 
the restriction on the Pks: otherwise the simplified process (20) would have 
input barbs that could not be matched by process (19).) 

The remainder of our proof consists in constructing a relation S such 
that =S= relates processes (19) and (20), and in establishing that S is 
a barbed bisimulation up to ~ and restriction, hence that processes (19) 
and (20) are barbed equivalent. We lead up to the definition of S with 
several preliminary definitions: 
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• We let a world be a tuple W = {snd, srv, rev, X, E, a, aspect R) where 
E is an environment and a and (Tspec E^re substitutions, i? is a process, 
X C Ins, and snd, srv, and rev are finite maps such that: 

snd{k) G {a2, sent{L, L') \ any closed terms L and L'} 

srv{s) G {si , s2{i), stuck, s4{k), sent{k, L, L') 

I i £ Prn, k £ Ins, any closed terms L and L'} 

rcv{j,t) G {6-Z, 6^, stuck, b3{k), run{k), done \ k G Iras} 

for each k G /ns, s G l..r, and (j, t) G Prn x l..r. The symbols 
a2, sent, si, s2, stuck, s4, hi, h2, stuck, h3 , run, and done are 
string tags; s2{i) is short for the pair {s2,i), sent{k, L, V) for the pair 
{sent, {k, L, L')), and similarly for the other tags. 

Intuitively, k e X just if instance k may yet complete the protocol. 
The maps snd, srv, and rev represent the states of the senders, servers, 
and receivers, respectively, that participate in the protocol. 

• Given a world W = {snd, srv, rev, X, E, a, a spec, R), and given k G Ins, 
s G l..r, and {j,t) G Prn x l..r, we define processes A^{k), A^g^{k), 
S^{s),B^{j,t),^ndB^,,{j,ty. 



A^{k) 



S^{s) = { 



\ A2'{h,KABk) iisnd{k) = a2 

I 0 otherwise 

f A2'{{i,j,pk),KABk) if snd{k) = a2, Ik = {i,j,M) 

I 0 otherwise 

' Sl'{Nss) iisrv{s) = si 

S2{i,Nss) if srv{s) = s2{i) 

S4{i,j,KABk) if srv{s) = s4{k), Ik = {i,j,M) 

0 otherwise 

' Bl'{j,T.F,NBjt) iircv{j,t) = hl 
B2{j,T.F,NBjt) \ircv{j,t) = h2 
B3{i,j, T.F, KABk) if rev{j, t) = h3{k), 

h = {t,j,M) 
T.F{i,j,M) if rev{j,t) = run{k), 

h = {t,j,M) 
0 otherwise 
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' Bl'{j,F,pec,NBjt) 

B2{j,Fspec,NBjt) 
B3{i,j,Fspec,KABk) 



if rcv{j,t) = hi 

if rcv{j, t) = h2 
if rcvlj,t) = b3{k), 

Ik = {i,j,M) 
if rcv{j,t) = run{k), 

Ik = {i,j,M) 



A 



Pk{*) 



0 



otherwise 



Intuitively, A^{k) is the process that sender k has left to run when its 
state is snd{k). Similarly, in the context of the specification, A^^^{k) 
is the process that sender k has left to run when its state is snd{k); this 
process does not include pk{x).F{i,j, M), which is treated separately. 
The other definitions deal analogously with replicas of the server and 
of the receivers. 

Given a world W = {snd,srv,rcv,X,E,a,aspec-,R), we also let 



,t)ePmxl..r 

and be: 

{^Pk'^^^""'^){YlkeIns ^^eci^) I I\s&l..r i^) I Yl{j,t)GPmxl..r ^^ecU i 't) 

iIlkexPk{x)-F{i,i,M) where 4 = {i,j,M)) \ Rappee) 



Intuitively, P is the process that the whole system has left to run 
when its state is as described in W , and is the corresponding 
process for the specification. 

• Given a world W with maps snd, srv, and rev, we define the instance 



sets of W to be the subsets X^, , Xl^'\ X^^', Xf , Xf of Ins, 
such that for any A; G Ins with Jfe = M): 

k e X"^ iflF snd{k) = a2 

k G X^ iff 3s G l..r, i' G Prn{snd{k) = sent{Nss, Nss) & 



be: 



srv{s) G {sl,s2{i')}) 



k G X^ iff 3s G l..r(sn;(s) = s4 (k)) 
keX^ iff 3s G l..r,f G l..r 



{srv{s) = sent{k,NBjt,NBjt) & rcv{j,t) G {bl,b2}) 



keXY iff 3t G l..r(rc?;(i,t) = 
G Xg^ iflF 3t G l..r{rcv{j, t) = run{k)) 
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Intuitively, if A; e Xf" and s G {2, 3, 5, 6, 7}, then the message in the 
protocol numbered s is the next to be received in instance k. Instance 
set represents instances that, having completed the protocol, are 
a r step away from running F. 

• A world W = (snd, srv, rev, X, E, a, (Tspeci R) is possible if and only if 
the following conditions hold: 

(1) Sets XY, Xf, Xf, X^,X^, X^ are pairwise disjoint. 

(2) The union X^ U X^ U X^ U X^^' U X^ U is a subset of X. 

(3) For any k G Ins, s G l..r, and terms L and L' , if either srv{s) = 
s4{k) or srv{s) = sent{k,L,L') then snd{k) = sent{Nss, Nss)- 

(4) For any A; G Ins, j G Pm, and f G l..r, if either rcv{j, t) = h3{k) 
or rev{j, t) = run{k) then there exists s G l..r such that srv{s) = 
sent{k,NBjt,NBjt)- 

(5) For any k G Ins, terms L and L', and name p, snd{k) = sent{L, 
L') implies either L = L' = p or neither L = p nor L' = p. 

(6) For any k G Ins, s G l..r, terms L and L', and name p, srv{s) = 
sent{k, L, L') implies either L = L' = p or neither L = p nor 
L' =p. 

(7) Environment E is: 



™ . r \ kElns with I],=(i,j,M),snd{k)=sent{L,L') 

■^k-X jKis -I 

„. ./ \ kalns with Ii^ = (i,j.M),snd(k)=sent(L,L') 

yk-X SKABk ' 

y . / \ s6l..r with Ik=(i,j,M),srv(s)=sent(k,L,L') 

^s-X jKsj 

(8) Substitution a is: 

J, KABk,L}Kis/Xk ''^^'^ "^'^^ 4=(ij,M),snd(fc)=sent(L,L')^ 
{M}/^^gj./?/fc '^S/ras with Ik=(i,j,M),snd{k)=sent{L,L') ^ 
{S,i,i,KABk,L}Ksj/Zs '^"'^ Jfc=(iJ,M),5r«(s)=sent(fe,L,L')] 

and substitution a spec is: 

[{i,i,J,irABfc,-C''}i^is/2:fe "^"^ 4=(ij,M),snc((fc)=.ent(L,L')^ 

•f n 1- /?/ k€lns with snd{k)=sent{L,L') 

XPks KABkl yk 1 

{S,i,j, KABk, L'}ksJZs 4=(iJ,M),5n;(s)=5ent(fc,L,L')] 

(9) Process R contains no free occurrence of any of the names pk, 
Kis, Ksji KABk and satisfies E\- R. 



61 



• Finally, we define the relation <S as follows: 

S = {{P^,Q^) I any possible world W} 

Given a possible world {snd,srv,rcv,X,E,a,aspec,R), conditions (7) 
and (8) imply that E, a, and fJspec are determined by the other compo- 
nents of the world, and that E \- a and E h Ggpec hold. Moreover, a is 
injective, as we show next. Let us suppose that w and w' are two variables 
that cr maps to the same term. Since a maps all variables to ciphertexts 
under keys in one of three disjoint families, we can distinguish three possible 
cases: 

• w \s Xk and w' is x^i for some k, k' G Ins. Since fj(.Tfc) has the form 
{i,hi,KABk,L}Kis, cri^k) textually contains KABk- Similarly, a{xk') 
textually contains KABk' in the same position. Therefore k = k', so 
w = w'. 

• w is and w' is y^/ for some A;, k' G Ins. Since a{yk) has the form 
{Mjxyisfe, cr(yfe) textually contains KABk- Similarly, a{yk') textually 
contains KABk' in the same position. Therefore k = k', so w = w'. 

• w is Zs and w' is Zg' for some s,s' G l..r. For some k G Ins, we 

have cr{zs) = {S,i, j , KABki L}^^^ where srv{s) = sent{k, L, L') and 
Ik = ii-,3-, ^I)- Since (t[zs') = (y{zs), there exists L" such that srv[s') = 
sent{k, L, L"). By condition (3), we obtain snd{k) = sent{Nss, Nss) 
and snd{k) = sent{Nss',Nss')- Therefore s = s', so w = w' . 

Thus, if cr maps two variables w and w' to the same term then w = w' , so 
a is injective. By the same argument, Ogpec is injective too. 

Now we consider the world W = {snd, srv, rev, Ins,%, 0, 0, R!) where 

R' = ^lnfee/ns(c5(i) where/fc = (i,j,M)) 

such that snd{k) = a2 for all k G Ins, srv{s) = si for all s G l..r, and 
rcv{j, t) = hi for all (j, t) G Prn x l..r. The conditions for W to be possible 
are satisfied. In particular, X and both equal Ins, while all other 
instance sets are empty. Furthermore, processes and are related by 
S, and are structurally equivalent to processes (19) and (20) respectively. 
Therefore, if we can show that <S C ^ it will follow that processes (19) 
and (20) are barbed equivalent. 

To prove that 5 C ~, we rely on Proposition 6: we show that 5 is a 
barbed bisimulation up to and restriction. Thus, we prove, for any possible 
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world W = {snd,srv,rcv,X,E,a,aspec,R), that: (1) any barb exhibited 
by is also exhibited by , and vice versa, and (2) for any reaction 
pW _^ pi ^j^ere is Q' with Q' and there is a possible world W and 

names n such that P' ~ {iyn)P^ , Q' ^ {yn)(^ , and vice versa. We treat 
only conditions (1) and (2); the symmetric conditions can be established by 
a symmetric treatment. 

Condition (1) holds because P^ and have almost identical structure; 
the only names to appear in one process but not the other are the p^s 
occurring in Q^; but the outermost restriction on the pfc's prevents their 
being exhibited as barbs. 

To show condition (2), we first recall that P^ is: 

,t)ePmxl..r 

and Q^' is: 

{^Pk'''^^^^){YlkeIns ^^ec(.f^) I Hsel-.r '^'^(s) | Yl{j,t)ePrnxl..r ^specU 7^) I 

iUkexPkix).F{i,i,M) where 4 = {i,j,M)) \ Raspec) 

As usual, wc appeal to Proposition 3 in order to analyze the reactions of P^ 
in terms of its possible commitments. Processes A^{k), S^{s), B^{j,t) 
have only input or r commitments, whereas the arbitrary process Ra may 
have input, output, or r commitments. Therefore, a reaction of P^ can 
arise in only one of the following ways: 

(A) from the interaction of an output commitment Ra {un){Li)Ri and 
an input commitment of one of the following seven kinds of process: 

• AW{k) = A2'{Ik,KABk) 
where k E Ins and snd{k) = a2, 

. S^{s) = Sl'{Nss) 

where s S l..r and srv{s) = si , 

. S'^{s) = S2{i,Nss) 

where s G l..r and srv{s) = s2{i), 

• S^{s) = S4{i,j,KABk) 
where s G l..r, srv{s) = s4{k), and 4 

• B^{j,t) = Bl'ij,T.F,NBjt) 
where {j,t) G Prn x l..r and rcv{j,t) 

• B^{j,t) = B2{j,T.F,NBjt) 
where {j,t) G Prn x l..r and rcv{j,t) 



= {i,j,M), 
= bl, 

= b2, 
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. B^{j,t) = B3{i,j,T.F,KABk) 
where {j,t) G Pm x l..r, rcv{j,t) = b3{k), and Ik = {i,j,M), 

(B) from a r commitment B^{j, t) = T.F{i,j\ M) F{i,j\ M) 
where rcv{j,t) = run{k) and /jt = {i,j,M), 

(C) from a r commitment Ra — ^ 

In case (A), we may assume that the bound names n are fresh. Since 
W is possible, it follows that E \- a and E h agpec, and that both a and 
cj are injective substitutions. Therefore, given the commitment Ra -—>■ 
{un){Li)Ri, Lemma 9(2) guarantees that there is an agent A such that 
E^ A, fv{A) C fv{R), fn{A) C fn{R), and {vn){Li)Ri = Aa, and moreover 
that RcTspec Auspec- Prom {yn){Li)Ri = Aa it follows there are L2 and 
i?2 such that A = {yn){L<2)R2, Li = -^2C, and Ri = i?2C. 

We now examine the input commitments of the seven kinds of process 
above (ordered according to the enumeration of messages in the informal 
description of the protocol, rather than as in the list above) and exhibit 
in each case a possible world W' such that P' ~ {un)P^ and there is Q' 
with Q' and Q' ^ {i^n)Q^' , where n are the names generated in the 

commitment of R. 

(1) The reaction P^ P' , where 

P' = (^^n)(nfce/„.^^(A;) I ns'ei..r-M '5^(^01 

n,eP™[^2CT isi} {cl{Nss) I S2{i,Nss)) | 

Tl{j,t)(iPmxl..T iht) I R2<J) 

arises when a is C5, and there is an input commitment 

Sl'{Nss) ^ {x) Yli^pmix is i] {ci{Nss) I S2{i, Ngs)) 
for some s G l..r such that srv{s) = si . 

We argue by cases on whether there is i G Pm such that 1/2(7 = i. 

When there is z G Pm such that 1/2(7 = % we can simplify P' as 
follows: 

P' = {vn){Y{j,^i,,,A'''{k)\Y[s'<,i..r-{s}S'^{s')\S2{t,Nss) 

Y{(j,t)ePmxl..rB'^{ht) I ^i{NSs) I i?2a) 

We set: 

W' = {snd, srv', rev, X, E, a, CFspec,Ci{Nss) \ R2) 
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where srv' is identical to srv except that srv'{s) = s2{i). With this 
definition, P' = {vn)P^ . Given the form of a, L2(t = i imphes 
that L2 = i, and therefore also that L2(7spec = i- Therefore, — > 
{iyn)Q^', so we let Q' = {vn)Q^' . 

It remains to prove that the world W is possible. Conditions (1) 
and (2), which are about the instance sets of W, must hold since the 
instance sets of W' equal those of W, which itself is possible. Condi- 
tions (3) and (6) concern servers in states and sent{k, L, L'); they 
hold for W and continue to hold for W as no servers have entered 
those states. Conditions (4) and (5) continue to hold in W as no 
senders or receivers have changed state. Conditions (7) and (8) con- 
cerning E, a, and aspec hold, since W is possible, no senders have 
entered or left a sent{L, L') state, and no servers have entered or left a 
sent{k, L, L') state. Finally, condition (9) is that Ci{Nss) \ R2 contains 
no free occurrence of any of the names pfe, Kis, Ksj, K^Bk and that 
E h Ci{Nss) I R2- It holds since the same condition holds for R, and 
we know that fn{{un) {L2) R2) Q fn{R), that the names n are fresh, 
and that E h (r/n)(L2)i?2- Therefore, W is a possible world. 

Otherwise, when there is no z G Pm such that L2<J = i, we can simpliiy 
P' as follows: 

P' - i'^nmkeinsA'^ik)\ns'ei..r-{s}S'^{s')\ 

U{j,t)ePmxl..rB^U^t) I ^2(t) 

We set: 

W' = {snd, srv' , rev, X, E, a, aspec, R2) 

where srv' is identical to srv except that srv'{s) = stuck. With this 
definition, P' ~ [ufVjP^ . Given the form of a and a spec, L2a / i 
implies that L2CFspec 7^ i for every i G Pm. Letting 

Y{i^P^^[L2aspec isi} {cliNss) \ S2{i,Nss)) \ 

Y\.(j,t)ePrnxl..r -^specU,^) I 

{Ilk&xPk{x).F{i,l,M) where h = {i,j,M)) \ 

R2(^spec) 

we obtain ^ Q' ~ {vn)Q^' . 

In this case, it remains to show that the world W is possible. Condi- 
tions (1) and (2) concern the instance sets of W . We have: 

Xf = {keX^ \snd{k)y^sent{Nss,Nss)} 
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from which it follows that X^' C . All the other instance sets of 
W' equal those of W. Since conditions (1) and (2) hold for W, they 
hold also for W' . The rest of the proof that the world W is possible 
is as in the case where there is i G Prn such that = i. 

(2) The reaction ^ P', where 

P' ^ {un){Uk'eins-{k}A'^{f^')\ 

cs{{h{i,hi,KABk,L2a}K,s)) I Cj{{i,{M}KABk)) \ 

arises when a is cl, and there is an input commitment 

A2'{Ik,KABk)^{x){cs{{h{i,i,i,KABk,x}Kis)) I ^((i W/^abJ)) 
for some A; G Ins such that snd{k) = a2 and Ik = M). We set: 

W' = {snd', srv, rev, X, E' , a', a'^^^^, R2 | cs{xk) | c]{{i, yk))) 

where snd' is identical to snd except that snd'{k) = sent{L2a, L2(Tspec) 
and 

E' = E,Xk:{-}Kis^yk-{-}KABk 

= a,{i,i,i,KABk,L2a-}Kis/xk,{M}KABk/yk 

(^'spec = (^spec,{i,hi,KABk,L2Crspec}Kis/Xk,{^}KABk/yk 

With this definition, P' = {m)P^'; moreover, {un)Q'^' . 

It remains to show that the world W is possible. First, we consider 
the instance sets of W . They are equal to those of W, except for: 

Xf = Xf-{k} while /ceXf 

' Xf U {k} if 3s G l..r, i' G Pm 

{L2a = L2aspec = ^Ss & 

srv{s) G {sl,s2{i')}) 
X^ otherwise 



xf = <! 



Therefore, since conditions (1) and (2) hold for W, they hold also for 
W. Condition (5) holds for W' because there arc no names in the 
range of a or a spec, so for any name n either L2a = L2aspec = n or 
neither L2a = n nor L2(7spec = n. Conditions (3), (4), (6), (7), (8), 
and (9) hold for W, and it follows easily that they continue to hold 
for W. 
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(3) The reaction ^ P', where 



P' = 



{i^nmkeinsA'^ik) \ Us'ei..r-{s} {s') \ 

ll{j,t)&Prnxl..r B ij,t) \ R2(T \ 

let (yi,y2) = Licr in 

[yi is i] case y2 of {zi, Z2, 2:3, ^4, ^^sj^is in 

OjePrni^l is i] [^2 is i] [ZZ IS j] [Z5 IS A^5s] 
(C^(*) I 5^(i,J,Z4))) 



arises when a is C5, and there is an input commitment 



S2{i,Nss) 



{x)let (yi,y2) = x in 

[yi isi] case y2 of {zi, Z2, Z3, Z4, Z5}k,s in 

Uj&Pmi^l is i] [Z2 is i] [Z3 is j] [Z5 is Nss] 

{cj{*) I S4{iJ,Z4)) 



for some s G l..r with srv{s) = s2{i). 

We argue by cases on whether L2C is a pair with first component i and 

second component a ciphertext under Kis containing Nss as last field. 
By condition (8), L2cr has i as first component if and only if L2 has i 
as first component. Similarly, since fn{L2) C fn{R) U {n}, the second 
component of L2<7 is a ciphertext under Kis containing Nss if and only 
if the second component of L2 is a variable Xk for some k G Ins such 
that snd{k) = sent^Ngs, L') for some L' . In this case, the second com- 
ponent of L2a is {hi,i,KABk,^Ss}Kis where 4 = {i,j,M). Thus, 
-L2cr determines A; uniquely because of the presence of KABk- By condi- 
tion (5), L' = Nss and snd{k) = sent^Nss-, Nss), so if L2 has the form 
(i, Xfe), then L2cr and L2crspec both equal (i, fei, J, Kas/c, -^SsKis)- 
Conversely, the form of L2crspec determines the form of L2cy. 

Assuming that L2a is a pair of the form described, we can simplify P' 
as follows: 



where srv' is identical to srv except that srv'{s) = s4{k). With this 




where 



i, j, and k are defined as explained above. We set: 



W' = {snd, srv' , rev, X, E, a, g, 



R2 I cj{*)) 



definition, P' = {vn)P^' and Q 



{i'n)Q 
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It remains to show that the world W is possible. All the instance sets 
of W equal those of W, except for: 

X^' = - {k' e Xf I snd{k') = sent{Nss, Ngs)} 

while k e 
Xr = X^U{k} 

In particular, k ^ X^' . Therefore, conditions (1) and (2) hold for 
W. Conditions (3), (4), (5), (6), (7), (8), and (9) hold for W, and it 
follows easily that they continue to hold for W'. For condition (3), we 
use the fact that snd{k) = sent{Nss,Nss)- 

On the other hand, if L2<J is not of the form described, we can simpliiy 

P' as follows: 

P' ~ {^n){UkeinsA'^{k)\Us'ei..r^{s}S'^{s')\ 

ll{j,t)ePmxl..r ij^t) I ^2<7) 

We set: 

W' = {snd, srv' , rev, X, E, a, (Jspec, R2) 

where srv' is identical to srv except that srv'{s) = stuck. With this 
definition, P' ~ {i^n)P^' . Letting 

Q' ^ {iyn){iypk''^'''''mkeinsKecik)\Us'ei..r^{s}S^ 

let (yi,y2) = L2aspec in . . . | 

no jt)GP'rnx l..r ^speci.j'^ 0 I 

iUkexPkix).F{i,i,M) where h = (^,J,M)) | 

R20'spec) 

where the omitted code gets stuck, we obtain — >■ Q' ~ {vn)Q^' . 

In this case, it is easy to check that the world W is possible. All the 
instance sets of W equal those of W, except for: 

Xf = {keX^ \sndik)^sent{Nss,Nss)} 
so Xf C X^. 
(4) The reaction P^ ^P', where 

^ij',t')ePrnxl..r-{{j,t)} ^ (j ) * ) I 
CsiNBjt) I B2ij,T.F,NBjt) I R2<J) 
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arises when a is Cj, and there is an input commitment 

Bl\j,T.F,NB3t) ^ {xmiNBjt) I B2{j,T.F,NBjt)) 

for some {j, t) G Pm x l..r such that rcv{j, t) = hi . We set: 

W' = {snd, srv, rev', X, E, a, Ugpec, R2 \ cs{NBjt)) 

where rev' is identical to rev except that rev'{j,t) = h2. With this 
definition, P' = {un)P^' and {un)Q^' . Given that W is a 

possible world, so is W; in particular, the instance sets of W equal 
those of W. 

(5) The reaction P^ P', where 

P' ^ {un){Uk^j^sA'^{k)\Us'^i..r-{s}S'^{s')\ 

Tl{j,t)ePmxl..r ^ 0)^)1 

Cj{{S,i, i, KABk, L2a}Ksj) ! -R20-) 
arises when a is cs, and there is an input commitment 

S4{hj,KABk) {x)cj{{S,iJ,KABk,x}Ksj) 

for some s G l..r such that srv{s) = s4{k) and Ik = {i,j,M). 
We set: 

W' = {snd, srv', rev, X, E' , a' , cr'spec', I ^{^s)) 

where srv' is identical to srv except that srv'{s) = sent{k, L2a, L^cTspec) 
and 

E' ^ E,Zs:{-}ks, 

a' = (T,{S,i,i,KABk,L2(T}Ksj/Zs 
'^'spec = (^spec,{^^hh^ABk,L2Crspec}Ksj/Zs 

With this definition, P' = {un)P^' and [vn)Q^' . 

It remains to show that the world W is possible. First, we note 
that if srv{s') = s4{k) then s = s', because srv{s) = s4{k) and by 
condition (3). Therefore, all the instance sets of W equal those of W, 
except for: 

xr = x^-{k} 




Xq U {k} sometimes — when is unimportant 
Xg^ otherwise 
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So conditions (1) and (2) hold for W. Since W satisfies conditions 
(4) and (5), so does W', trivially. Condition (3) for W implies that 
snd{k) = sent{Nss, Nss)', it follows that condition (3) holds for W' . 
Condition (6) holds for W because there can be no names in the 
ranges of a and agpec, so, for any name n, either = L^CTgpec = n 
or neither = n nor L2CFspec = n. Conditions (7), (8), and (9) for 
W are easy consequences of the corresponding conditions for W. 

(6) The reaction — > P', where 

n(j',t')ePmxl..r-{(j,t)} I -^20- I 

case L2a of {yi, y2, 2/3, ^4, ysji^sj in 
Yli&Pm[yi «5 S\ [y2 is i] [ya is j\ [Vb is Nsji] 
B3{i,j,r.F,y4)) 

arises when a is c], and there is an input commitment 

B2{j,T.F,NBjt) {x)case x of {yi,y2,y3,yA,y5}Ksj in 

UiePrniyi is S] [y2 is i] [ys is j] [ys is Nsji] 
B3{i,j,T.F,y4) 

for some {j,t) G Pm x l..r with rcv{j,t) = b2. 

We argue by cases on whether L2cr is a ciphcrtcxt under Ksj containing 
Nsjt as last field. By condition (8), since /n(L2) Q fn{R)L){n}, L20" is 
a ciphertcxt under Ksj containing NBjt if and only if L2 is a variable 
Zs for some s G l..r such that srv{s) = sent{k, NBjt, L') for some k and 
L'. In this case, L2a is {S,i, [, K^Bk, NBjt}Ksj where 4 = {i,j,M). 
Thus, L2cr determines k uniquely because of the presence of K^Bk- 
By condition (6), L' = NBjt and srv{s) = sent{k, NBjt, NBjt), so if 
L2 is Zs then L2a and L2aspec both equal {S,i,j\,KABk,NBjt}Ksy 
Conversely, the form of L2<7spec determines the form of L2CT. 

Assuming that L2C7 is of the form described, we can simplify P' as 
follows: 

P' = {iynmkeinsA'^{k)\nsei..rS'^{s)\ 

Uif,t')ePmxl..r-{U,t)}B'^if^t') I B3{i,j,T.F,KABk) I 

We set: 

W' = {snd, srv, rev' , X, E, a, agpec, R2) 
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where rev' is identical to rev except that rev'{j,t) = b3{k). With this 
definition, P' = {iyn)P^' and {un)Q^' . 

It remains to check that the world W' is possible. All the instance sets 
of W equal those of W, except for: 

Xf = -{k' where Ik^ = {i',j,M')\ 

3s' G l..r{srv{s') = sent{k' , Neju Nsji))} 
while k€X^ 
xf = X^U{k} 

In particular, k ^ X^' . Therefore, conditions (1) and (2) hold for W'. 

Conditions (3), (5), (6), (7), (8), and (9) hold for W, and it follows 
easily that they continue to hold for W'. Condition (4) holds for W' 
because srv{s) = sent{k, NBjt, ]^Bjt)- 

On the other hand, if is not of the form described, we can simplify 
P' as follows: 

P' ~ {i^nmkeinsA'^{k)\Usei..rS^{s)\ 

Il(j',t')ePrnxl..r-{(j,t)} ^ if^'t') I R2<^) 

We set: 

W = {snd, srv, rev' , X, E, a, agpec, R2) 

where rev' is identical to rev except that rcv'{j, t) = stuck. With this 
definition, P' ~ (z/n)P^ . Letting 

Q' ^ (z.n)(z.pfe '^'mUkeins KeM I Usei..rS^y\ I 

Yl{j',t')ePmxl..r-{{j,t)} ^specU '01 

ease L^a of {yi,y2,y3,y4,y5}Ksj in ... | 
{IlkexPk{x).F{i,i,M) where 4 = {i,j,M)) \ 

R2<^spec) 

where the omitted code gets stuck, we obtain — Q' ~ {vn)Q^' . 

In this case, it is easy to check that the world W is possible. All the 
instance sets of W equal those of W, except for: 

xf = X^ -{k where Ik = ii,j,M)\ 

3s G l..r{srv{s) = sent{k, NBjt, NBjt))} 

so xf C X^. 
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(7) The reaction ^ P', where 



T\.(j',t')&Pmxl..r-{(j,t)}B if^t') I R2a I 

let (2/1,2/2) = L2CT in 

[2/1 is i] case of {zjKABk ^"^ T-F{i,i,z)) 
arises when a is c], and there is an input commitment 

B3{i,j,T.F,KABk) — ^ {x)let (2/1,2/2) = x in 

[2/1 isi] case 2/2 0/ {^I^ABfe T-FiiJ^z) 

for some /c G Ins and (j, t) G Prn x l..r such that rcv{j,t) = b3{k) 
and /fc = M) for some M. 

We argue by cases on whether L2cr is a pair with first component i 
and second component a ciphertext under Kabh- By condition (8), 

has i as first component if and only if L2 has i as first compo- 
nent. Similarly, since fn{L2) C fn{R) U {n}, the second component 
of 1/2(7 is a ciphertext under Kabu if and only if the second compo- 
nent of L2 is 2/fc and snd{k) = sent{L,L') for some L and L'. In 
this case, the second component of L2(J is {Mj^^Bk- Thus, if L2 has 
the form {i,yk), then L20" equals (i, {Mj^^^j.), while L2(Tspec equals 
{h{Pk}KABk)- Conversely, the form of L2aspec determines the form 

of L2(7. 

Assuming that L2<7 is a pair of the form described, we can simpliiy P' 
as follows: 

n(j',t')ePmxi..r-{U,t)}B'^if^t') I R^a I T.F{i,l,M)) 

We set: 

W' = {snd, srv, rev', X, E, a, a spec-, R2) 

where rev' is identical to rev except that rcv'{j,t) = run{k). With 
this definition, P' = {un)P^' and {un)Q^' . 

In order to check that the world W' is possible, we first consider 
the instance sets of W. First, we argue that k ^ X^^ . It suf- 
fices to show that if rev{j,t') = b3{k) then in fact t = t'. Condi- 
tion (4) for W says that there exists s G l..r such that srv{s) = 
sent{k, Nsjt, NBjt), and that if rcv{j,t') = h3{k) then there exists 
s' G l..r such that srv{s') = sent{k, N^jt', N^jt')- Condition (3) for 
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W says that snd{k) = sent{Nss,Nss) and snd{k) = sent{Nss',Nss')- 
Therefore, s = s' and then t = t' . We conclude that k ^ ■ We 
obtain that the instance sets of W equal those of W except for: 

Xf = XY-{k} whileA;GXf 
Xr = X^U{k} 

So conditions (1) and (2) hold for W. Conditions (3), (4), (5), (6), 
(7), (8), and (9) hold for W, and it follows easily that they continue 
to hold for W. 

On the other hand, if 1/2(7 is not of the form described, we can simpliiy 
P' as follows: 

P' - i'^n)iUkeinsA'^ik)\Usei..rS^{s)\ 

^(j',t')ePmxl..r-{{j,t)} ^ if^t') I -^20-) 

We set: 

W = {snd, srv, rev', X, E, a, aspec, R2) 

where rev' is identical to rev except that rcv'{j,t) = stuck. With this 
definition, P' ~ {vnjP^' . Letting 

n(j',t')ePmxl..r-{(j,t)} -^specO I 
let (2/1,2/2) = L2cr in . . . | 
{I[kexPk{x).F{i,i,M) where h = {i,j,M)) \ 

where the omitted code gets stuck, we obtain ^ ~ {iyn)Q^' . 

The proof that W is possible is almost identical to that just given for 
the other case; the only change is that Xg^ = X^ . 

This completes case (A). 

In case (B), the reaction P^ P', where 

P' = rifcG/ns ^^(^) I riseL.r 'S'^(s) I 

n(f,t')ePrnxi..r-W,t)}B'^if,t') \ F{i,i,M) | Ra 
arises from the r commitment 

B^{j,t)^F{i,l,M) 
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for some {j,t) G Pm x l..r such that rcv{j,t) = run{k) and 1^ = {i,j,M) 
for some k G Ins. Note that A; G X, since rcv{j,t) = run{k) implies A; G 
C X. We set: 

W' = {snd, srv, rev', X', E, a, a spec, j, \ R) 

where rev' is identical to rev except that rev'{j, t) = done and where X' = 
X — {k}. With this definition, P' = P^ . Moreover, we have: 

^{j,t)ePmxl..r -^specU,^) I 

(IlkexPk{x).F{i,i,M) where 4 
= {i^Pk '""'mUkeins A'^ik) I Usei..r Sj{s) \ ^ 

Tly ,t')GPmxl..r-{{j,t)} ^specU ) 

iUk&x'Pk{x).F{i,l,M) where h 
Pk{*) \pkix).F{i,l,M) I Raspec) 

- {upk '^'"^)(n../n. A^{k) I n..i... S^{s) I ^ 

n(i',t')ePrnxl..r-{(i,i)} ^specU ) 

(IlfcGX'Pfc (a;). F(i,i,M) where 4 

F{i,i,M) I i?(T,pec) 

In order to check that the world W is possible, we first argue that k ^ 
X^ . It suffices to show that if rev{j,t') = run{k) then in fact t = t'. 
Condition (4) for W says that there exists s G l..r such that srv{s) = 
sent{k, Nsjt, Nsji), and that if rcv(j, t') = run{k) then there exists s' G l..r 
such that srv{s') = sent{k, Nsjt' , Nsji')- Condition (3) for W says that 
snd{k) = sent{Nss, Nss) and snd{k) = sent{Nss', Nss')- Therefore, s = s' 
and then t = t'. We conclude that A; ^ X^ . We obtain that the instance 
sets of W equal those of W except for: 

xr = xr-{k} 

So conditions (1) and (2) hold for W. Conditions (3), (4), (5), (6), (7), (8), 
and (9) hold for W, and it follows easily that they continue to hold for W. 
For condition (9), wc rely on the fact that F(i,j, M) is a closed process and 
that it cannot contain free occurrences of any of the names pk, Kis, Ksj, 
Kabu- (The abstraction F cannot contain free occurrences of those names 
because of our general convention that bound parameters of the protocol do 
not occur free in F. The term M cannot because it is part of the arguments 
to Sys and Sys ) 
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Finally, in case (C), the reaction P', where 

F' = Ylk&Ins i^) \ Ylsel..r i^) \ Yl(j,t)ePrnxl..r U^'^) \ ^1 

arises from the r commitment Ra — ^ Lemma 9(2) implies that there is 
a process R2 such that E h R2, fv{R2) C fv{R), fn{R2) C fn{R), Ri = R2CF, 
and RcTspec R2(^spec- We set: 

W' = [snd, srv, rev, X, E, a, Ugpec-, R2) 

With this definition, P' = P^' and Q Q^' ; moreover, W' is a possible 
world. 

This concludes the proof of the authenticity property. Proposition 21. □ 

Proposition 21 is rather strong, so we obtain the secrecy property as a 
corollary (Proposition 22). This strength is convenient but not essential: 
weaker formulations of authenticity that do not imply secrecy would be 
satisfactory. 

Proposition 22 // each pair (/i,Ji), {Im-iJm) is indistinguishable, 

then 

Sys{Il, ...,Irn)- Sys{Jl, ...,Jm) 

Proof When / = {i,j,M) and J = {i,j,M'), the pair {I, J) is indis- 
tinguishable only if F{i,j,M) c± F{i,j,M'). Using the fact that testing 
equivalence is a congruence (Proposition 1), we obtain: 

Al,peciI,F) = ii^p)iAl{i,j,p)\p{x).F{i,i,M)) 
~ {up){Al{i,j,p) \ p{x).F{i,i,M')) 
— Al gpgQ ( J , 

If each pair (7i, Ji), . . . , (7^, J^n) is indistinguishable, then Propositions 1 
and 21 permit the following calculation: 

Sys{Ii, ...,Im) ^ Sys,p^^{Ii, ...Jm) 

= {uKis *^-P™) (z^TsTsj ^■^^™) 

{Uk^JnsAlspecih^F) I \S1 I Y{^^p^\Bl{j,Fspec)) 

{Y{keInsAlspec{Jk,F) I \S1 I Y[jePrn^-Bl{j,Fspec)) 
~ speci'^it • • • ) "An) 

~ Sys{Ji,...,Jm) 
This completes the proof of the secrecy property. □ 
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7 Further Cryptographic Primitives 



Although so far we have discussed only shared-key cryptography, other kinds 
of cryptography are also easy to treat within the spi calculus. In this section 
we show how to handle cryptographic hashing, public-key encryption, and 
digital signatures. We add syntax for these operations to the spi calculus and 
give their semantics. We thus provide evidence that our ideas are applicable 
to a wide range of security protocols, beyond those that rely on shared- 
key encryption. We believe that we may be able to deal similarly with 
DifRe-Hellman techniques and with secret sharing. However, protocols for 
oblivious transfer and for zero-knowledge proofs, for example, are probably 
beyond the scope of our approach. 

7.1 Hashing 

A cryptographic hash function has the properties that it is very expensive to 

recover an input from its image or to find two inputs with the same image. 
Functions such as SHA and RIPE-MD are generally believed to have these 
properties [Sch96b]. 

When we represent hash functions in the spi calculus, we pretend that 
operations that are very expensive are altogether impossible. We simply 
add a construct to the syntax of terms of the spi calculus: 

L, M, N ::= terms 

as in Section 3.1 
H{M) hashing 

The syntax of processes is unchanged. Intuitively, H{M) represents the hash 
of M. The absence of a construct for recovering M from H{M) corresponds 
to the assumption that H cannot be inverted. The lack of any equations 
H{M) = H{M') corresponds to the assumption that H is free of collisions. 

7.2 Public-Key Encryption and Digital Signatures 

Traditional public-key encryption systems are based on key pairs. Normally, 
one of the keys in each pair is private to one principal, while the other key 
is public. Any principal can encrypt a message using the public key; only a 
principal that has the private key can then decrypt the message. 

We assume that neither key can be recovered from the other. We could 
just as easily deal with the case where the public key can be derived from 
the private one. Much as in Section 3.1, we also assume that the only way 
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to decrypt an encrypted packet is to know the corresponding private key; 
that an encrypted packet does not reveal the public key that was used to 
encrypt it; and that there is sufficient redundancy in messages so that the 
decryption algorithm can detect whether a ciphertext was encrypted with 
the expected public key. 

We arrive at the following syntax for the spi calculus with public-key 
encryption. (This syntax is concise, rather than memorable.) 

L,M,N::= terms 

as in Section 3.1 
M+ public part 

M~ private part 

{[M]} jv public- key encryption 

P,Q ::= processes 

as in Section 3.1 
case L of {[x]}iv in P decryption 

If M represents a key pair, then M+ represents its public half and M~ repre- 
sents its private half. Given a public key N, the term {[M]}jv represents the 
result of the public-key encryption of M with A^. In case L of {[x]} at in P, 
the variable x is bound in P. This construct is useful when iV is a private 
key K~ ; then it binds x to the M such that is L, if such an M 

exists. 

It is also common to use key pairs for digital signatures. Private keys 
are used for signing, while public keys are used for checking signatures. We 
can represent digital signatures through the following extended syntax: 

L,M,N::= terms 

as above 

[{M^jv private-key signature 

P,Q ::= processes 

as above 

case N of [{x]\m in P signature check 

Given a private key A'', the term [{M]]7v represents the result of the signa- 
ture of M with A''. Again, the variable x is bound in P in the construct 
case N of \{x}]m in P- This construct is dual to case L of {[a;]} at in P. The 
new construct is useful when iV is a public key ; then it binds x to the M 
such that [{M}]^- is L, if such an M exists. (Thus, we are assuming that 
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M can be recovered from the result of signing it; but there is no difficulty 
in dropping this assumption.) 

Formally, the semantics of the new constructs is captured with two new 
rules for the reduction relation: 

(Red Public Decrypt) case {[M]}^+ of ^x]}^- in P > P[M/x] 
(Red Signature Check) case [{M}]n- of [{x}]jv+ in P > P[M/x] 

We believe that our basic theoretical results for the spi calculus still apply. 

As a small example, we can write the following public-key analogue for 
the protocol of Section 3.2.1: 

A{M) ^ c^({[M,[{J?(M)}]^-]}^+) 

B = CAB{x).case x of {[y]}^- in 

let {yi,y2) =y in 
case y2 of [{z]\j^+ in 
[H{yi) is z] F{yi) 

Inst{M) = {uKa){uKb){A{M) \ B) 

In this protocol, A sends M on the channel cab, signed with ^'s private 
key and encrypted under i?'s public key; the signature is applied to a hash 
of M rather than to M itself. On receipt of a message on cab, B decrypts 
using its private key, checks A's signature using A's public key, checks the 
hash, and applies F to the body of the message (to M) . The key pairs Ka 
and Kb are restricted; but there would be no harm in sending their public 
parts and on a public channel. 

Undoubtedly, other formalizations of public-key cryptography are pos- 
sible, perhaps even desirable. In particular, we have represented crypto- 
graphic operations at an abstract level, and do not attempt to model closely 
the properties of any one algorithm. We are concerned with public-key 
encryption and digital signatures in general rather than with their RSA 
implementations, say. The RSA system satisfies equations that our formal- 
ization does not capture. For example, in the RSA system, [{{[M]}^+^;^- 
equals M. We leave the treatment of those equations for future work. 

8 Conclusions 

We have applied both the standard pi calculus and the new spi calculus in 

the description and analysis of security protocols. As examples, we chose 
protocols of the sort commonly found in the authentication literature. We 
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showed how to represent the protocols, how to express their security prop- 
erties, and how to prove some of these properties. Our model of protocols 
takes into account the possibility of attacks, but does not require writing 
explicit specifications for an attacker. In particular, we express secrecy prop- 
erties as simple equations that mean indistinguishability from the point of 
view of an arbitrary attacker. To our knowledge, this sharp treatment of 
attacks has not been previously possible. 

Although our examples are small, we have found them instructive. Some 
of the techniques that we developed may be amenable to automation; the 
experience in other process algebras is encouraging. Moreover, there seems 
to be no fundamental difficulty in writing other kinds of examples, such 
as protocols for electronic commerce. Unfortunately, the specifications for 
those protocols do not yet seem to be fully understood, even in informal 
terms [Mao96]. 

In both the pi calculus and the spi calculus, restriction and scope extru- 
sion play a central role. The pi calculus provides an abstract treatment of 
channels, while the spi calculus expresses the cryptographic operations that 
usually underlie channels in systems for distributed security. Thus, the pi 
calculus and the spi calculus are appropriate at different levels. 

Those two levels are however related. In particular, as we have discussed 
briefly, we can specify a security protocol abstractly and then implement it 
using cryptography. Similarly, we may give an API (application program- 
ming interface) for secure channels and implement it on top of an API for 
cryptography. In more formal terms, it should be possible to define crypto- 
graphic implementations for the pi calculus, translating restricted channels 
into public channels with encryption. Implementation relations such as these 
are useful in practice; they seem worth studying further. 
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Appendices 



A Encoding Encryption in the Pi Calculus 

Before inventing the spi calculus, we considered but rejected several schemes 
for encoding encryption within the pi calculus. 

An obvious first idea is to represent keys as channels, and encrypted 
communication as communication on restricted channels. This scheme works 
reasonably well in some examples, but it is not clear how to turn it into a 
general encoding. For example, it is not straightforward to represent data 
encrypted under several keys. 

Milner has shown how to represent a piece of data as a process located 
at a channel m, that is, a process listening on channel m. A second scheme 
for encoding encryption extends Milner's idea. Let F be a pi calculus ab- 
straction (a process with an abstracted name) that represents some data. 
We can represent F encrypted with K, to be located at m, by the following 
abstraction: 

{F}k = {m)m{J,n).[J is K] F{n) 

Given a channel m, the right-hand side is a process that inputs the pair 
(J, n) off channel m. If J is the key then it runs F with the abstracted 
variable instantiated to n; otherwise it does nothing. In other words, it 
offers access to F to anyone who can provide the secret key K. We can 
then represent an abstraction that attempts to decrypt such an encrypted 
datum, located at m, and locates the result at its parameter n, as follows: 

Decrypt{m, K) = {n)m{{K,n)) 

When we locate these abstractions at names m and n, we obtain the reac- 
tions: 

{F}K{m) I Decrypt{m,K){n) F{n) 

This representation certainly prevents anybody from accessing F unless they 
know K. But it allows attacks: 

(1) An agent who possesses a secret key must transmit it to the process 
representing the encrypted data. In the simple scheme described here 
there is nothing to stop an attacker from impersonating encrypted 
data and thereby obtaining the corresponding secret key. 

(2) After decryption there is no guarantee that the message returned was 
really encrypted with the secret key. An attacker could masquerade as 
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a piece of encrypted data and provide an incorrect message to anyone 
who asks. 

A third scheme is based on a mild extension of the pi calculus in which 
channels may be multi-names, that is, tuples of names. We modify the 
encoding above so that the encrypted process {F}^^^) inputs n off the 
multi-name channel (m, K). Decryption amounts to sending n on this multi- 
name. Synchronization on the pair (m, K) guarantees simultaneously that 
both parties know both the location m of the data and the secret key K. 
The two attacks above arc therefore no longer possible. This scheme is 
attractive, because it enables us to remain close to the standard pi calculus. 
Unfortunately, this scheme does not account for protocols in which keys are 
made by hashing data, for instance. 

A fourth scheme relies on a process, the "Global Cryptographic Device" 
(GCD for short), trusted by all participants; GCD mediates all encryption 
and decryption via a global list of encrypted messages. In this scheme there 
would be a private channel between each participant and GCD that is used 
by the participant to invoke encryption or decryption. To decrypt a message, 
the participant would send the necessary secret key to GCD, rather than to 
the purported encrypted message. We are reluctant to pursue this scheme 
because of its complexity. 

Having syntax for both processes and data, as in the spi calculus, gives 
us advantages over these schemes. First, we avoid having to encode data 
as processes. In addition, we can axiomatize encryption and decryption, for 
both shared-key and public-key cryptography, directly in our operational 
semantics. This higher-level approach appears to be more convenient to 
work with than any approach based on encodings, while retaining many of 
the fundamental ideas of the pi calculus. 

B Proofs about Commitment 

In this section we prove Propositions 2, 3, and 4, from Section 5.1, which 
connect the relations of reaction, commitment, and exhibition of a barb. 

We begin with a lemma that relates the free names of a process to the 
free names of any agent to which it commits. 

Lemma 23 

(1) IfP^Q thenfn{Q) Cfn{P). 

(2) IfP^ {x)Q then {m}Ufn{Q) C fn{P). 
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(3) If P ^ {vn){M)Q then {m} fn{{vn){M)Q) C fn{P) and {n} C 
/n(M). 

Proof By induction on the derivation of the commitment. □ 

The purpose of the next lemma is to show that P Q imphes P ^ Q, 
half of Proposition 3. 

Lemma 24 

(1) If P {x)Q then there are Qi, Q2, and names p such that m ^ {p}, 
P = {up){Qi I m{x).Q2), and Q[M/x] = {{vp){Qi \ Q2))[M/x] for 
any closed M. 

(2) // P {un){M)Q then there are Qi, Q2, and names p such that 
m i {p), fn{M) n{p} = $, P = {un,p){Qi \ m{M).Q2), and Q = 
{^p){Qi I Q2). 

(3) IfP^Q thenP^Q. 

Proof In each case, by induction on the derivation of the commitment 
of P. □ 

The key fact we need for the other direction of Proposition 3 is that 
structural equivalence is a strong bisimulation. 

Lemma 25 P = Q implies that: 

(1) whenever P A there is B with Q —>■ B and A = B; 

(2) whenever Q B there is A with P A and A = B. 
Hence structural equivalence is a strong bisimulation. 

Proof By induction on the derivation oi P = Q. 

First, we consider the possibihty that P = Q is an instance of one of the 
six basic equations of structural equivalence. We show two representative 
cases, those for the equations (Struct Switch) and (Struct Drop). 

(Struct Switch) Here P = {vm){un)R and Q = {vn){um)R. The case 
where m and n arc the same is trivial. In the case where m and n 
are distinct, we examine the commitments of R, which determine the 
commitments of both P and Q; the lemma's parts (1) and (2) follow. 
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• R {x)R! . If p G {m,n} then neither P nor Q has a commit- 
ment. Otherwise, the only commitments of P and Q are: 

P {x){vm){vn)B! and Q ^ {x){vn){um)R' 

We have {{vm){vn)R')[M/x\ = {{un){vni)R')[M/x] for every 
closed term M, so we are done. 

• R — ^ R'. The only commitments of P and Q are: 

P {um){vn)R! and Q — ^ {un){um)R' 
and we have {um){un)R' = {vn){um)R! . 

• i? {un){M)R! . We may assume that the set of bound names 
{n} is disjoint from {m,n}. If p G {m, n} then neither P nor Q 
has a commitment. Otherwise, the only commitment of P is one 
of the following: 

(1) P [vn){M){um){un)R' \i m ^ fv{M) and n ^ fv{M); 

(2) P {vm,n){M){un)R' if m G fv[M) and n i fv{M); 

(3) P {un,n){M){um)Rl if m ^ /?;(M) and G /?;(M); 

(4) P ^ {vm, n, n){M)R! if m G /u(M) and n G /?;(M). 

In each case the only commitment of Q matches the commitment 
of P. In case (4), Q {vn,m,n){M)R' and we have: 

{um,n,n){M)R' = {un,m,H){M)R' 

since the definition of = allows the restricted names to be per- 
muted. (If this permutation were not allowed, (Struct Switch) 
would prevent structural equivalence from being a strong bisim- 
ulation.) 

(Struct Drop) Here P = {um)0 and Q = 0. Therefore, neither P nor Q 
has any commitments, so they trivially satisfy parts (1) and (2). 

The cases for (Struct Nil) and (Struct Comm) are simple. The cases for 
(Struct Extrusion) and (Struct Assoc) involve larger case analyzes — but are 
no harder — than the cases shown. 

Second, we consider the possibility that P = Q is obtained through one 
of the inference rules of structural equivalence. 
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(Struct Red) Here P > Q. By inspecting the definition of the reduction 

relation, we can see that the only commitment rule that applies to P 
is (Comm Red). Moreover, if P > Q' then Q' is Q. Therefore for any 
a and A, we have that P —>■ A iS Q A. Since = is reflexive, 
parts (1) and (2) follow. 

(Struct Refl) Here P = Q, so parts (1) and (2) follow at once. 

(Struct Symm) Here P = Q is obtained from Q = P. Part (2) of the 
induction hypothesis supplies part (1) of what is to be proved; part 
(1) of the induction hypothesis supplies the other part. 

(Struct Trans) Here P = Q is obtained from P = P' and P' = Q, for 

some intermediate process P'. For part (1), suppose that P A. 
Since P = P' , the induction hypothesis implies that there is an agent 
A' such that P' A' and A = A' . Since P' = Q, the induction 
hypothesis implies that there is an agent B such that Q B and 
A' = B. Since = is transitive, so is =". Therefore we have A = B, 
completing the proof of part (1). Part (2) follows by symmetry. 

(Struct Par) Here P = Q is obtained from Pi = Qi with P = Pi \ R and 
Q = Qi \ R. For part (1), suppose that P A. There are four cases 
to consider. 

(Comm Inter 1) Here a = r. Pi ^ (x)P2, R ^ {vn){M)R!, and 
A = {h'n){P2[M / x] I R'). By induction hypothesis, there exists 
Q2 such that Qi {x)Q2 and {x)P2 = {x)Q2- Therefore, since 
M is closed, P2[M/x\ = Q2[M/x]. We let B = {vn){Q2[M/x\ \ 
R!). By (Comm Inter 1), we have Q — ^ B. Moreover A^ B, 
since 

{vn){P2[M/x\ I R') = {un){Q2[M/x] \ Rl) 
and A and B are processes. 

(Comm Inter 2) Here a = r. Pi {un){M)P2, R (x)P', and 
A = (yn){P2 I P'[M/x]). By induction hypothesis, there exist 
Q2 and m such that Qi {vm){M)Q2-, P2 = Q2^ and m is a 
permutation of n. We let B = {i'fn){Q2 \ R![M/x\). By (Comm 
Inter 2), we have Q — ^ B and A = B, since 

(i/n)(P2 I R'[M/x]) = {un){Q2 \ R'[M/x\) 

and then, by (Struct Switch) and (Struct Res), 

{vn){P2 I R![M/x\) = {ufh){Q2 I Rl[M/x\) 
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(Comm Par 1) Here Pi Ai and A = Ai \ R. By induction 

hypothesis, there exists Bi such that Qi Bi and Ai = Bi. 
We let B = Bi \ R. By (Comm Par 1), we have Q B. 
Whether Ai and Bi are processes, abstractions, or concretions, 
Ai = Si implies Ai \ R = Bi\ R. 

(Comm Par 2) Here i? ^i and ^ = P | Ai. By (Comm Par 2), 
we have Q Q \ Ai. Whether Ai is a process, an abstraction, 
or a concretion, P = Q implies P \ Ai^ Q \ Ai. 

This completes the proof of part (1); part (2) follows by symmetry. 

(Struct Res) Here P = Q is obtained from Pi = Qi, where P = {vm)P\ 
and Q = {vm)Q2- Again by symmetry we need to consider only 
part (1). Suppose that P A. The rule (Comm Res) is the only one 
that can yield a commitment from a restriction. So there must be Ai 
such that Pi Ai with a ^ {m, m} and A = {um)Ai. By induction 
hypothesis, there is Bi with Qi Bi and Ai = i?i. By (Struct 
Res), we have Q {um)Bi. Whether Ai and Bi are processes, 
abstractions, or concretions, Ai =. Bi implies {ym^Ai = {um)Bi. 
Therefore part (1) follows. □ 

We can now prove the three propositions claimed in Section 5.1. 

Proof of Proposition 2 P i P iff 3A(P A). 

Proof This is not entirely trivial, as the J, relation is defined using struc- 
tural equivalence, but the transition relation is not. We can easily show 

that P A implies P J, /3 by induction on the derivation of P A, 
using (Barb Struct) where necessary. On the other hand, we can show that 

P i (3 implies 3^(P A) by induction on the derivation of P J, The 

case of (Barb Struct) needs the fact that if 3A{P A) and P = Q then 

3A{Q A) also, which follows from Lemma 25. □ 

Proof of Proposition 3 P ^ Q iff P Q. 

Proof For the backwards direction suppose P R and R = Q. By 
Lemma 24(3), P — P, and then P ^ Q by (React Struct). 

We can show that P ^ Q implies that there exists R such that P R 
and P = Q by induction on the derivation of P ^ Q. The only interesting 
case is (React Struct). Suppose that P ^ Q follows from P = P', P' ^ Q', 
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and Q' = Q. By induction hypothesis, P' Q" with Q" = Q'. By 
Lemma 25, structural equivalence is a strong bisimulation, so P — ^ R for 
some R such that R = Q". This with the previous equations gives R = Q 
as required. □ 

Proof of Proposition 4 P passes a test {R, (3) iff there exist an agent 
A and a process Q such that P \ R — >■ Q and Q — ^ A. 

Proof By definition, P passes a test {R, P) iS P \ R ij^ /3, which holds iff 
there is Q with P \ R — >* Q and Q i f3, which by (Barb Struct), Lemma 25, 
and Propositions 2 and 3 is equivalent to there being Q and A with P \ 

R ^* g and g ^ ^. □ 



C Proofs about Replication 

This section is devoted to lemmas concerning the interaction between repli- 
cation and commitment, reaction, and convergence. 

Lemma 26 

(1) // \P {x)Q, then there is R with P {x)R and Q[M/x] = 
R[M/x] I !P for any closed M. 

(2) // IP {vn){M)Q, then there is R with P ^ {un){M)R and 
Q = R\\P. 

(3) // \P Q, then there is R with P \ P R and Q = R\\P. 
Proof 

(1) By induction on the derivation of \P {x)Q. Such a commitment 

must be derived from P \ \P -—>■ {x)Q via (Comm Red) and (Red 
Repl). The latter commitment must be derived from (Comm Par 
1) or (Comm Par 2). In the first case, we have P -—>■ {x)R and 
g = i? I !P, so we are done. In the second case, we have !P {x)R' 
and g = P I -R'. By induction hypothesis, there is R such that 
P ^ {x)R and R'[M/x] = R[M/x] \ IP for any closed M. Hence, for 
any closed M, Q[M/x] = P \ R[M/x] \ !P = R[M/x] | !P, so we are 
done. 
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(2) By induction on the derivation of !P — ^ {un){M)Q. Such a com- 
mitment must be derived from P \ \P {yn){M)Q via (Comm 
Red) and (Red Repl). The latter commitment must be derived from 
(Comm Par 1) or (Comm Par 2). In the first case, we immediately 

have P {h'n){M)R and Q = R \ \P. In the second case, we 

have \P {i'n){M)R' and Q = P \ R'. By induction hypothe- 
sis, there is R such that P {vn){M)R and R' = R \ \P. Hence 
Q = P\ R\ \P = R\ \P. 

(3) By induction on the derivation of \P — ^ Q. Such a commitment must 
be derived from P \ \P — ^ Q via (Comm Red) and (Red Repl). There 
are four rules that could yield the latter commitment. 

(Comm Par 1) Here P i?' and Q = i?' | !P. Let R= R' \P. 

We may derive P | P — ^ R by (Comm Par 1) and indeed Q = 
R' \ P \ IP = R\IP. 

(Comm Par 2) Here !P — ^ R' and Q = P \ R! . By induction 
hypothesis, there is R such that P | P — ^ R and R! = R \ !P. 
Since Q = P | P | !P = P | !P, we are done. 

(Comm Inter 1) Here P ^ (x)Pi and !P ^ {vn){M)P2 with 
g = (z/n)(Pi[M/x] I P2). By part (2), there is R such that 

P ^ {m){M)R and P2 = P | !P. By (Comm Inter 1), P | 
P — ^ (i^n)(Pi[M/x] I P) and we can calculate the following: 

Q = {un){Pi[M/x]\P2) 
= {un){Pi[M/x]\ R\\P) 
= {un){Pi[M/x] I P) I !P 

The last step uses (Struct Extrusion), and the fact that we may 
assume that the bound names {n} do not occur free in P. 

(Comm Inter 2) Here P ^ {vn){M)Pi and !P ^ {x)P2 with 

Q = {un){Pi I P2[M/x]). By part (1), there is P such that 
P {x)R with P2[M/x] = R[M/x] | !P. By (Comm Inter 2), 
P I P — ^ {un){Pi I P[M/2;]) and we can calculate: 

Q = {vn){Pi I P2[M/x]) 

= (z/n)(Pi I (P[M/x] I !P)) 
= (z^n)(Pi I P[M/x]) I !P 
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The last step uses (Struct Extrusion) and the fact that we may 
assume that the bound variable x and the bound names {n} are 
not free in P. 

This completes the proof of part (3). □ 

Intuitively, part (3) states that any reaction of !P can be obtained from 
two copies of P running in parallel. As Pierce and Sangiorgi [PS96] have 

remarked, we can strengthen part (3) to require only one copy of P, but 
this stronger property would fail for an extended language with a choice 
construct. The claim with two copies would remain true for such an extended 
language. 

Lemma 27 Suppose IP \ R Q. Then there is Q' such that Q = \P \ Q' 
andP\P\R^Q'. 

Proof By case analysis of the rules that could yield IP | R — ^ Q. 

(Comm Par 1) Here \P P' and Q = P' \ R. By Lemma 26 there is 
P" with P\P ^ P" and P' = P" \ IP. Let Q' = P" \ R. By (Comm 
Par 1), P I P I ^ Q', and Q = {P" \IP\ R) = IP\ Q'. 

(Comm Par 2) Here R ^ R' and Q = \P \ Rl . Let Q' = P | P | R' . By 
(Comm Par 2) twice, P | P | P ^ Q'. Moreover, Q = {\P \ P \ P \ 
R') = !P I Q'. 

(Comm Inter 1) Here IP (x)Pi and R ^ {iyn){M)R' with Q = 
{iyn){Pi[M/x] I R'). By Lemma 26 there is P2 with P ^ (x)P2 and 
Pi[M/x] = P2[M/x] I !P. Let Q' = {vn){P \ P^W/x] \ R'). By 
(Comm Par 2) and (Comm Inter 1), P | P | P — ^ Q'. Moreover, 
Q = (i/n)((P2[M/a;] | IP) \ R') = IP \ Q' , since we may assume that 
the bound names {n} and the bound variable x do not occur free in P. 

(Comm Inter 2) Here !P ^ {un){M)Pi and R {x)R! with Q = 

{un){Pi I R'[M/x]). By Lemma 26 there is P2 with P ^ {un){M)P2 
and Pi = P2 I !P. Let Q' = {un){P | P2 | R'[M/x]). By (Comm Par 
2) and (Comm Inter 2), P | P | P ^ Q'. Moreover, Q = {vn){P2 \ 
!P I R'[M/x\) = \P I Q'. □ 

For n > 0, we let P Q mean that P = Pq Pi ^ P2 ^ > Pn = 

Q for some processes Pq, Pi, . . . , Pn- 
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Lemma 28 

(1) Whenever \P \ R Q there is Q' with {Uiei 2n^) I ^ Q' o-^d 
Q = \P\ Q'. 

(2) Whenever \P\R^(5 there is n such that ij{iei..n P)\R^(i- 
Proof 

(1) By induction on n. In case n = 0, !P | i? = Q, so we let Q' = R. 
Otherwise, we assume that the claim holds for n, and prove it for 
n + 1. We suppose, then, the following: 

!P I i? Q„ ^ Q 

By induction hypothesis, there is with 

(n.iel..2nP) \ R^"^ Qn 

and Qii = \P \ Q'^. By Proposition 3, !P | — > Q implies that 

\P I Q'n Q* for some Q* = Q. By Lemma 27, it follows that there 
is Q' such that P | P | ^ g' and Q* = !P | Q', so Q = IP \ Q'. 
By Proposition 3, it follows that P | P | g^, ^ g'. By (React Par), 
we obtain: 

(niei..2(n+i) p) I p ^ p I p I (^^el..2n p) i p p i p i g^ - g' 

and thus {Uiei..2{n+i) P) I R g' and g = !P | Q'. 

(2) If !P I P J| /3 then there must be n and g such that !P g and 

Q i (3. By the previous part, there is Q' with (niei..2n R) I R Q' 
and g = !P I g'. We have !P 1 g' i /?; hence P | Q' 1(3, by Lemma 26 
and Proposition 2. By (React Par), we obtain: 

(n^el..2n+l P) I P ^ P I {Uiel..2n P) \ R P \ Q' i P 

and hence (niGi..2n+i 

P) I P ^ /?. □ 

Proposition 29 // {iyp){P^ \ Uiei..nP2) ^ {^P){Qi I Yiiei.M for all 
n > 0, then {vp){Pi \ IP2) {i^p){Qi \ \Q2). 
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Proof Assume that (i/p)(Pi | nigi..„^2) ^ {jyp){Qi \ Uiei-nQ^) for all 
n > 0. Consider an arbitrary test {R,P), and suppose that {up){Pi \ 1^2) 
passes this test, that is, {upj^Pi \ \P2) | i? -IJ- /3. We may assume without 
loss of generality that the bound names p do not occur in R or /?. By 
Lemmas 31(1, 5) and 28(2) there exists n such that {up){Pi | niei..n-^2) | 
i? Jj- /?. By hypothesis, we have {yp){Qi \ riiei-.n Q2) \ R ^ P also. Since 
!Qi = !Qi I riieL.nQi, Lemma 31(1-2, 5) yields {vp){Qi \ IQs) 1^4/?, 
that is, {i'p){Qi I !<52) passes {R,P). Thus, {i'p){Qi \ !<32) passes the same 
tests as (up) (Pi \ \P2)- Symmetrically, {up) [Pi \\P2) passes the same tests 
as {vp){Qi I IQs)- We conclude that \v§){Pi \ !P2) ^ {vp){Qi \ IQa)- □ 

Proposition 30 \{P | Q) ~ !P | \Q. 

Proof First, we prove !(P \Q)^\P\ \Q. Suppose that \{P \ Q) \ R ^ (3 
for some arbitrary test (R,(3). By Lemma 28(2) there exists n such that 
niei..n{P \Q)\Ri^P. By Lemma 31(1), {Uiei..nP) I {Ui^i..nQ) I ^ ^ 
/?. By Lemma 31(2), IP \ IQ \ (n.ei..n^) I iUiei-uQ) \ R P- By 
Lemma 31(1), \P \ \Q \ R l3. Thus, !P | passes the same tests as 
\{P\Q). 

Second, we prove \P \ \Q C !(P | Q). Suppose that !P | !Q | Jj- /3 
for some arbitrary test {R,P). Applying Lemma 28(2) twice, we obtain 
that there exist m and n such that (nigL.m P) I (nigL.n Q) \ R ^ By 
Lemma 31(2), 

I Q) I {Uiel..mQ) I (Hiel-.n^) I iUiel-mP) I (a6l..nQ) I 

Since 

!(P I Q) ^ !(P I Q) I (n^ei-mQ) I iUiei-nP) I (n^ei...n^') I (niei..nQ) 

Lemma 31(1) yields \{P \ Q) | i? JJ- /3. Thus, \{P \ Q) passes the same tests 
as \P I \Q. □ 

D Proofs about Equivalences 
D.l Testing Equivalence 

The following are auxiliary facts needed for the proofs in this section. 
Lemma 31 

(1) Pi}-P andP=Q imply Q ^ p. 
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(2) P ^ /? implies P | Q ^ /3. 

(3) // {vm)P R there is Q with P Q and R = {vm)Q. 

(4) // {vm)P i (5 then P i (5 and (5 ^ {m,m}. 

(5) {um)Pi},piffPi}.pandp^{m,m}. 

Proof 

(1) By analysis of the last rule of the derivation of P JJ- /?. In case (Conv 
Barb), we have P j /?. By (Barb Struct), Q i P too. By (Conv Barb), 
Qi}. p. In case (Conv React), we have P ^ P' and P' JJ. (3. By (React 
Struct), we have Q — >■ P', and then by (Conv React) Q JJ- 

(2) By induction on the derivation of P JJ- /3, using rules (Barb Par) and 
(React Par). 

(3) (Comm Res) is the only rule that might yield {vm)P R. Hence 
there is Q with P — ^ Q and R = {um)Q. 

(4) By Proposition 2, there is A such that (i^m)P A. This commit- 
ment can only have been derived from (Comm Res), and so it must 

be that A = {um)B with P B and j3 ^ {m, m}. By Proposition 2 
again, we obtain P I (3. 

(5) Suppose that P JJ. /? with (3 ^ {m, m}. Therefore, there is Q with 
P Q and Q J, /?. By Proposition 3, there is Q' with P ^* Q' 
and Q' = Q. By repeated use of (Comm Res), {vm)P {vm)Q' , so 
{vm)P^* {um)Q by Proposition 3 since {i^m)Q' = {vm)Q. Moreover, 
{vm)Q i /? by (Barb Res). Therefore, {vm)P J| /?. 

If {vm)P J^ /?, then there must be Q' with {vm)P Q' and j 
By Proposition 3, there is Q" such that {i'm)P Q" and Q" = 
Q' . By repeated use of part (3), there is Q such that P Q and 
Q" = (z/m)Q. By (Barb Struct), Q' [ (3 implies Q" [ p, and part (4) 
yields Q i (3 with /? ^ {m, m}. Finally, P — ^ Q implies P — Q by 
Proposition 3; combining this with Q [ (3, we obtain P JJ- /3. □ 

Lemma 32 = C ~. 

Proof Lemma 31(1) says that if P JJ- /3 and P = Q then Q JJ- /?. The 
result then follows from the definition of ~ in terms of JJ-. □ 
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If 7?. is a relation on closed processes, we let its open extension 71° be the 
relation on arbitrary processes such that P TZ° Q if and only if Pa TZ Qa 
for any substitution a of closed terms for variables such that both Pa and 
Qa are closed. 

A congruence on closed processes is an equivalence relation S on closed 
processes such that P S Q implies C[P\ S C[Q] for every closed context C. 
Similarly, a congruence on open processes is an equivalence relation S on 
open processes such that P S Q implies C[P\ S C[Q\ for every context C. 
The notion of precongruence is analogous, except that a precongruence must 
be a preorder instead of an equivalence relation. 

We give an alternative characterization of congruence and precongruence 
that avoids the use of contexts. When 7^ is a relation on open processes, we 
let its compatible refinement IZ be the relation on open processes given by 
the rules in Figure 3. 

Lemma 33 Suppose that TZ is a preorder. Then TZ is a precongruence 
(closed under arbitrary contexts) iffiZCTZ. 

See [Gor95] for the proof of a similar proposition. 

Lemma 34 The open extension of testing equivalence, is a congruence. 

Proof Since C° is clearly a preorder, it suffices to show that C° C C°. 
Given two open processes P' and Q', we assume that P' C° Q' and prove 
that P' IZ° Q' . For this proof, we show that, for every test {R, (3) and every 
substitution a for the free variables of P' and Q', if P'a passes (i?, (3) then 
Q'a passes {R,P). According to Proposition 4, it suffices to assume that 
there exist a process P" and an agent A such that P'a \ R P" and 
P" — y A, and to prove that there exist a process Q" and an agent B such 

that Q'a \ R — > Q" and Q" — > B. The argument is by case analysis of 
the rules that define C°. 

(Comp Out) Suppose that P' = M{N).P and Q' = M{N).Q, with P C° 
Q. We have that there exist an agent A and a process P" such that 
M^{Na).Pa \ R P" and P" A. By examining the definition 
of the commitment relation, we distinguish three cases: 

• If ]Wa is /3 then Q'a \ R ^ {{u){Na)Qa) \ R, so we let Q" be 
simply Q'a | and S be {{v){Na)Qa) \ R. 
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(Comp Out) (Comp In) 

PUQ PUQ 



M{N).Pn M{N).Q M{x).Pn M{x).Q 

(Comp Par) (Comp Res) (Comp Repl) 

PiTZQi P2nQ2 PUQ PUQ 

Pi\P2nQi\ Q2 {un)P n {vn)Q \P U \Q 

(Comp Match) (Comp Nil) 
PUQ 

[M isN]pn[M isN]Q ono 

(Comp Split) 

PUQ 

let {x, y) = M in pH let {x, y) = M in Q 

(Comp IntCase) 

Pi 7^ Qi P2n Q2 

case M of 0 : Pi suc{x) : P2 It case M of 0 : Qi suc{x) : Q2 

(Comp Decrypt) 

PUQ 

case N of {x}m in P TZ case N of {x}m in Q 

Figure 3: Rules of Compatible Refinement 
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• If i? ^ i?' and i?' ^ A' for some B! and A', then we let Q" 
be Q'cj I B! and S be Q'cr | A'. 

• Otherwise, for some R', we have that R — ^* R', R' has the com- 
mitment R' {x)R" for some abstraction {x)R", and Pa \ 
R"[Na/x] — ^ P" . By Proposition 4, this implies that Pa passes 
the test R"[Na/x]. Therefore, since P C° Q, we obtain that Qa 
passes the test R"[Na/x]. By Proposition 4, there exist Q" and 

B such that Qa | i?"[iVa/x] -U* Q" and Q" B. Finally, 
R^* B', B! ^ {x)B", and Qa \ B"[Na/x] ^* Q" imply that 
Q'a \B^*Q". 

(Comp In) Suppose that P' = M{x).P and Q' = M{x).Q, with P C° 
Q. Without loss of generality, we assume that a{x) is not defined. 
We have that there exist an agent A and a process P" such that 

Ma{x).Pa I B P" and P" A. By examining the definition of 
the commitment relation, we distinguish three cases: 

• If Ma is 13 then Q'a\B^ {{x)Qa) | B, so we let Q" be simply 

Q'a \Band B be {{x)Qa) \ B. 

• U B B' and B' A' for some B' and yl', then we let Q" 
be Q'a \ B' and B be Q'a \ A'. 

• Otherwise, for some B', we have that B — ^ B', B' has the 

commitment B' (umi) ■ ■ ■ {i'mk){N)B" for some concretion 
(i/mi) • • • {■umk){N)B", and {vmi) ■ ■ ■ {vmk){Pa[N / x] \ B") 
P". By Lemma 31(3), P" has the form {umi) ■ ■ ■ {vmk)P"' for 
some P'" such that Pa[N/x\ \ B" P'"; and by Proposi- 
tion 2 and Lemma 31(4), P'" [ (5 with f3 ^ {mi, ml, . . . , m^, mfe}. 
By Proposition 4, this implies that Pa[N/x\ passes the test B" . 
Therefore, since P C° Q, we obtain that Qa[N/x\ passes the test 
B!' . By Proposition 4, there exist Q'" and B' such that (5cr[A'^/x] | 

B" ^* Q'" and Q'" S'. We let Q" be {vmi) ■ ■ ■ {umk)Q"', 

obtaining (z^mi) • • • {umk){Qa[N/x] \ B") ^* Q" and Q" ^ B' . 

Finally, B B' , B' ^ (z^mi) • • • {umk){N)B", and (z/mi) • • • 
{iymk){Qa[N/x] I B") ^* Q" imply that Q'a \ B Q" . 

(Comp Par) Suppose that P' = Pi \ P2 and Q' = Qi \ Q2, with Pi c:° Qi 
and P2 C° (52. If -PV passes (-R, /?), then Picr passes (P2C | -R, /?)• 
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Since Pi C° Qi, we obtain that Qia passes (P2C | R,l3)- Equivalently, 
we have that P2C passes {Qia \ R, (3). Since P2 Q° Q2, we obtain that 
Q2C passes {Qia | R,P). Therefore, Q'a passes {R,(3). 

(Comp Res) Suppose that P' = {un)P and Q' = {un)Q, with P Q° Q. We 
may assume that the bound name n does not occur free in R, so that 
P'a\ R = {m){Pa \ R). Since P'a passes {{m)Pa) | i? 4 /?. 

By Lemma 31(1), it follows that {un){Pa \ R) i^- (3. By Lemma 31(5), 
it follows that Pa | JJ- /3 and that /3 ^ {n,n}. From P C° Q we 
obtain Qa \ R ]j. (3. By Lemma 31(5), it follows that (z/n)(Qcj \ R) ]j. f3. 
By Lemma 31(1), we conclude that Q'a \ R^ (3. Therefore, Q'a passes 
{R,/3). 

(Comp Repl) Suppose that P' = !P and Q' = \Q, with P C° Q. We have 
\Pa\Ri (3. By Lemma 28, there is n such that (Hiei-.n ^^r) I -R J| 

Much as in the case of (Comp Par), it follows that (riiei-.n Q^) I ^ 
j3. By Lemma 31(2), we obtain \Qa \ iX\iei..nQ'^) I P JJ- Since 
\Qa I (riiGi-.n Q(^) I -R = 'QcT I P, we conclude that \Qa | P J| /? by 
Lemma 31(1), so Q'a passes {R,f3). 

(Comp Match) Suppose that P' = [M is N] P and Q' = [M is N] Q, with 
P E° Q- If Ma and Na are equal, then P'a = Pa and Q'a = Qa, and 

the result follows from Lemma 32 and the assumption that P Q. 
Otherwise, both P'a and Q'a are stuck, and hence they arc barbed 
congruent to 0 by Proposition 8; by Proposition 7, it follows that 
P'a ~ Q'a. 

(Comp Nil) Suppose that P' = 0 and Q' = 0. Since ~ is reflexive, P'a ~ 
Q'a, and hence P' C° Q'. 

(Comp Decrypt) Finally, suppose that P' = case N of {x}m in P and 
Q' = case N of {x}m in Q, with P C° Q. Without loss of generality, 
wc assume that a(x) is not defined. If Na is {N'}Ma- for some N' , 
then P'a = Pa[N'/x] and Q'a = Qa[N'/x], and the rcsuh follows 
from Lemma 32 and the assumption that P C° Q. Otherwise, both 
P'a and Q'a are stuck, and hence they are barbed congruent to 0 by 
Proposition 8; by Proposition 7, it follows that P'a c± Q'a. 

The other cases — (Comp Split) and (Comp IntCase) — are similar. □ 
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We obtain: 
Proof of Proposition 1 

(1) Structural equivalence implies testing equivalence. 

(2) Testing equivalence is reflexive, transitive, and symmetric. 

(3) Testing equivalence is a congruence on closed processes. 

Proof That structural equivalence implies testing equivalence is said in 
Lemma 32. Whenever <S is a relation on closed processes and <S° is a con- 
gruence on open processes, iS is a congruence on closed processes. □ 

The remainder of this section concerns some testing equivalences that 
we use in reasoning about protocols. 

Proposition 35 For any closed process P, P t.P. 

Proof First we show that P C t.P. By Proposition 4, if P passes a test 
{R, (3) there is Q such that P \ R — ^ Q and Q i /3. By induction on the 

length of the computation P \ R — > Q, we can show that there is Q such 
that there is a computation t.P \ R Q' with Q' | f3. Hence t.P passes 
the test {R, fi). Roughly speaking, the second computation is a copy of the 
first, except that if ever P contributes to the first (by itself or by reacting 
with R) then we can include t.P — ^ P in the second computation, and 
then proceed as in the first computation. 

By a similar argument t.P C P, and hence P ~ t.P. □ 

Lemma 36 For any P with fv{P) C {x} and any distinct names m and n, 
m{x).{yn)P ~ {vn)m{x).P. 

Proof Since both m{x).{un)P and {vn)m(x).P have each just one com- 
mitment, to the same abstraction: 

m{x).{un)P {x){un)P 

{vn)m{x).P {un){x)P = {x){un)P 

they are strongly bisimilar, hence testing equivalent by Proposition 7. □ 

Lemma 37 Let n he a name, M a (possibly open) term, {Ni | i G /} 
a set of distinct closed terms, and {Pj | z G /} a set of (possibly open) 
processes, where I is a finite set of indices. Then Y{^^i[M is Ni] {vn)Pi ~° 
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Proof According to the definition of ~°, it suffices to consider all substitu- 
tion instances of the claimed equivalence. So we show that, taking all terms 
and processes to be closed, Ilie/i^ ^-^ -^i] {i'n)Pi ~ {vn) YlieA^ "^^ ^i] Pi- 

For each i eI,iiNiy^ M then [MisNijPi ~ 0 and [MisNi]{L'n)Pi ~ 0 by 
Propositions 8 and 7. For Ni = M, on the other hand, [M is Ni] Pi c± Pj and 
[MisNi] {vn)Pi ~ {un)Pi by Proposition 1. Thus, both {vn) Hie/ [M is TVj] P, 
and riie/I^ {^'n)Pi are testing equivalent to 0 if M ^ {N^ | i € /} and 
to {iyn)Pj if Nj = M. □ 

D.2 Bcirbed Equivalence 
Proof of Proposition 5 

(1) Barbed equivalence is reflexive, transitive, and symmetric. 

(2) Strong bisimilarity implies barbed equivalence. 

(3) Structural equivalence implies barbed equivalence. 

(4) Barbed equivalence is preserved by restriction. 
Proof 

(1) As usual, wc can show that the identity relation is a barbed bisim- 
ulation, that the composition of two barbed bisimulations yields a 
barbed bisimulation, and that the converse of a barbed bisimulation 
is a barbed bisimulation. 

(2) It is enough to show that strong bisimilarity is a barbed bisimulation. 
Given Propositions 2 and 3 this is easy. 

(3) By Lemma 25, structural equivalence is a strong bisimulation. By 
part (2), it is contained in barbed equivalence. 

(4) It suffices to show that {{{un)P, {vn)Q) | P ~ Q} is a barbed bisimu- 
lation. The proof is straightforward. □ 

Proof of Proposition 6 If S is a barbed bisimulation up to ~ and re- 
striction, then <S C ~. j4 fortiori, if S is a barbed bisimulation up to ~, then 
5 C ^. 

Proof We prove the proposition using a generalization of the standard 
technique [MPW92] ; an alternative would be to use the modular framework 
recently developed by Sangiorgi [San94]. 
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We construct a relation S* larger than S and show that »S* is a barbed 
bisimulation. The relation S* is defined by: 



So = S 
Sk+i = {{{i^m)P, {i^m)Q) 
S* = [J (~«5fe~) 



P ~<Sfc~ Q, m is any name} 



First we observe that »S* has the following properties: 



(Star S) 
PSQ 



(Star Res) 

PS*Q 



(Star ^) 



Q 



PS* Q 



{vm)P S* {um)Q 



PS* Q 



Property (Star S) follows easily from the definition of S* (and the refiexivity 
of ~). Property (Star Res) holds because P S* Q implies P Q for 

some k and, for every fc, P Q implies {i'm)P {vm)Q which in 

turn implies (z/m)P S* {vm)Q. Property (Star ~) holds because P Q 
implies that, for some k, P Pq Qo ~ Q and (by the transitivity 

of ~) P ~5fc~ Q, and hence P S* Q. 

In order to establish that S* is a barbed bisimulation, we prove by in- 
duction on k that P ~>Sfe~ Q implies: 

(1) for each barb if P J, /? then Q i l3, and 

(2) if P ^ P' then there exists Q' such that Q ^ Q' and P' S* Q'. 

In the base case. A; = 0, wc have P ~ Pq 5 Qo ~ Q- 

(1) Suppose that P j /?. Since P ^ Pq, Pq j /?. Since Pq S Qo, Qo i by 
definition of a barbed bisimulation up to ~ and restriction. Finally, 
since Qo Q, Q i P too. 

(2) Suppose that P ^ P'. Since P ~ Pq, there is P^ such that Pq Pq 
and P' ~ Pq. Since Pq S Qo, by definition of a barbed bisimulation 
up to ~ and restriction, there is Q'q such that Qo Q'q, and there 
are P", Q", and names n such that Pq {un)P", Q'q ~ {un)Q", and 
P" 5 g". By (Star S), P" S* Q" . By (Star Res), {un)P" S* {vn)Q" . 
By (Star ~), P^ S* Q'q. Since Qo ~ Q, there is Q' such that Q ^ Q' 
and Q'o ~ Q'- Finally, given P' ~ P^, P,^ S* Q'q, and Q() ~ Q', we 
obtain P' S* Q' by (Star ^). 
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In the inductive case, we have P ~»Sfe+i~ Q, so there exist m, Pq, and Qo 
such that P ~ {um)Po, Pq ~iSfe~ Qo, and {um)QQ ~ Q. 

(1) Suppose that P il3. Since P ~ (z/m)Po, (z^m)Po i /3. Therefore Pq i /? 
and /3 ^ {m,m}. By induction hypothesis, Pq ~5a;~ Qo implies that 
Qo i /5- Since (3 ^ {m,m}, {um)Qo [ j3. Finally, since {um)QQ Q, 
Q i /? too. 

(2) Suppose that P P'. Since P (z/m)Po, there is P{ such that 
(z/m)Po ^ P{ and P' P{. By Lemma 31(3) and Proposition 3, there 
is Pq such that P{ = {vm)PQ and Pq — > Pq. By induction hypothesis, 
there is Qq such that Qo ^ Qo ^'^^ ^* Q'o- (React Res), 
(i/m)Qo ^ {vm)Q'Q. Since [um)QQ ~ Q, there is Q' such that Q ^ Q' 
and {vm)Q'Q ~ Q'. By (Star Res), (z^m)Po 5* {iym)Q'Q. Finally, given 
P' ~ (z^m)P,^, (i/m)P^ <S* (i/m)Q'o, and (z^m)Q[, ~ Q' , we obtain 
P' <S* Q' by (Star ^). 

This completes the proof by induction. The definition of S* yields that S* is 
a barbed bisimulation, so S* C f^. Using (Star S), we conclude that 5 C ~. 

□ 

D.3 Barbed Congruence 

The main task of this section is to show ~° C from which it follows that 
~° is a congruence. The following is an adaptation of the proof by Pierce 

and Sangiorgi [PS96]. 

We begin with two lemmas concerning replication and commitment. 

Lemma 38 ^ C 

Proof For any P' and Q', we need to show that P' ~° Q' implies that 

PV I P QV I R (21) 

for any closed R and substitution cr, with fv{P') Ufv{Q') C dom{a). We do 
so by an analysis of the (Comp — ) rule used to derive P' ~° Q' . 

(Comp Out) Here P' = M{N).P and Q' = M{N).Q, with P ~° Q. So 
P'a = Ida {N a). Pa and Q'a = Ma{Na).Qa. Let <S be the following 
relation: 

S = {{P'a I R, Q'a | R) \ any R} 

Equation (21) will follow if we can show that 5 U is a barbed bisim- 
ulation. Clearly both P'a | R and Q'a | R have the same barbs. By 
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using the rules of commitment, we can see that if P'a \ R has a r 

commitment, either R has one by itself or there is an interaction be- 
tween Ma{Na).Pa and R. In either case Q'a \ R can match this r 
commitment, via S and ~ respectively. 

(Comp In) Here P' = M{x).P and Q' = M{x).Q, with P ~° Q. So 
P'a = Ma{x).Pa and Q'a = Ma{x).Qa; since x is bound we may 
assume that x ^ dom{a). As in the previous case, if we set »S = 
{{P'cr I R,Q'a \ R) \ any R}, it is enough to show that <S U ~ is a 
barbed bisimulation, and this follows by a similar argument. 

(Comp Par) Here P' = Pi \ P2 and Q' = Qi \ Q2- Using assumptions that 
Pi ~° Qi and P2 ~° Q2, and the properties of barbed equivalence in 
Proposition 5, we can calculate equation (21) as follows. 

(Pi(7 I Psct) \R = Pia\ {P2a \ R) 

~ Qi(y I {P2(y I R) 

= P2(T I {Ql(T I R) 

~ Q2'J I {Qi<J I R) 
= {Qi(r I Q2a) I R 

(Comp Res) Here P' = {vn)P and Q' = {vn)Q. Using the assumption 
that P ~° Q, together with Proposition 5, here is a calculation of 
equation (21). 

{{vn){Pa)) I R = {un){Pa \ R) 
~ {i^n){Qa I R) 
= ((z/n)(Qa)) I R 

(Comp Repl) Here P' = IP and Q' = \Q with P ~° Q. We prove that 

S = {{[Pa I R, [Qa \ R) \ any R} 

is a barbed bisimulation up to ~. Hence equation (21) will follow by 

Proposition 6. Clearly both sides have the same barbs. Consider any 
reaction IPa \ R — > R'. By Lemma 27, there is a process R" with 
reaction Pa | Pa \ R ^ R" , such that R' = \Pa \ R" . By assumption 
P ~° Q, we can calculate the following. 

\Qa\R = Qa\ (IQa | R) 
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^ Pa I {\Qa I R) 
= Qa I {[Qa \ Pa \ R) 
^ Pa I (!Q(7 \Pa\R) 
= \Qa\Pa\Pa\R 
\Qa\R" 

By the definition of ~, there must be a reaction [Qa \ R ^ Q" with 
Q" ~ !Q(7 I i?". Moreover we have R' = IPa \ R" S IQa \ R" - Q", so 
we have satisfied the condition for 5 to be a bisimulation up to 

(Comp Match) Here P' = [M is N] P and Q' = [M is N] Q with P ~° 
Q. Let S = {{[Ma is Na] Pa \ R, [Ma is Na] Qa \ R) \ any R}. 
Then equation (21) follows easily by showing that 5 U ~ is barbed 
bisimulation. 

(Comp Decrypt) Here P' = case N of {x}m in P and Q' = case N of 
{x}m in Q with P ~° Q. Since x is bound, we may assume x ^ 

dom{a), and therefore that P'a = case N of {x}m in Pa and Q'a = 
case N of {x}m in Qa. Let S = {{P'a \ R, Q'a \ R) \ any R}. Again, 
it is easy to see that 5 U ~ is a barbed bisimulation, and hence that 
equation (21) holds. 

The other cases — (Comp Nil), (Comp Split), and (Comp IntCase) — are sim- 
ilar. □ 

Now we can prove the basic facts about barbed congruence claimed in 
Section 5.2.3. 

Proof of Proposition 7 

(1) Barbed congruence is reflexive, transitive, and symmetric. 

(2) Barbed congruence is a congruence on closed processes. 

(3) Structural equivalence implies barbed congruence. 

(4) Strong bisimilarity implies barbed congruence. 

(5) Barbed congruence implies testing equivalence. 

Proof 

(1) Since ~ is an equivalence relation, so is ~. 
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(2) Lemma 38 yields that the open extension of barbed congruence, 

is a congruence on open processes. It follows that barbed congruence 
is a congruence on closed processes. 

(3) This follows from part (4), since we know from Lemma 25 that struc- 
tural equivalence implies strong bisimilarity. 

(4) It suffices to check that the following relation is a barbed bisimulation: 

S = {{P \ R,Q \ R) \ P and Q strongly bisimilar} 

We omit the routine proof, which involves using the commitment re- 
lation to analyze the possible barbs and reactions of P \ R and Q | R, 
and showing that they match up to (S. 

(5) Suppose that P ^ Q, and consider any test {R,P). By definition of 
barbed congruence, (P | i?) ~ (Q | i?). Hence, (P | i?) JJ- /? implies 
(Q I P) J| /3 too. Therefore, P ~ Q. □ 

E Proofs about Underpinning 

First, we need the following fact about underpinning and injective substitu- 
tions. 

Lemma 39 Suppose E \- M, E \- N , and E \- a. If a is injective, then 
Ma = Na implies M = N. 

Proof By induction on the structure of M. 

• Suppose M is the variable x. Since E \- x, x e dom{a). Since E \- a, 
xa must be a ciphertext, say {M'}k, with K G keys{E). Since E\- N, 

K ^ fn{N). Since Na = {M'}k, it must be that A'' is a variable y, 
with y G dom{a) and ya = xa. Since a is injective, x = y, that is, 
M = N. 

• Suppose M is the name n. The set of names is defined to be distinct 
from the set of variables, so Ma = n. Similarly, since Na = n, it 
follows that N = n and therefore that M = N. 

• Suppose M is the ciphertext {Mij^/^. Therefore Ma = {Mia} 1^217 = 
Na. Either N is some variable x G dom{a) or TV = {Ni}n^. If the 

latter, we have E l- Mj, E h Ni, Mia = Na for i = 1, 2. By induction 
hypothesis, Mj = A^j for i = 1, 2, and therefore M = N as required. 
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Otherwise, if N = x, suppose that xa is the ciphertext {N'}k- Since 

Ma = Na, = K and moreover M2 = K. Since E h a, K e 

keys{E). Since E \- M, K ^ fn{M) but M = {Mi}k. This is a 
contradiction. 

• Suppose M is the pair (Mi, M2). From (Mid, M2cr) = Na it must be 
that N = {Ni,N2), since the range of a includes only ciphertexts. As 
in the previous case, we have E h Mj, E h iVj, M^a = Nia for z = 1, 2. 
By induction hypothesis, Mj = iVj for i = 1, 2, and therefore M = N 
as required. 

The other cases, when M = 0 and M = suc{M'), are similar. □ 

Proof of Lemma 9 Suppose that E \- P and E \- a, and that a is 
injective. 

(1) If Pa > Q' then there is a process Q with E \- Q, fv{Q) C fv{P), 
fn{Q) C fn{P), and Q' = Qa such that, whenever E \- a' and a' is 
injective, Pa' > Qa'. 

(2) // Pa A' then there is an agent A with E \- A, fv{A) C fv{P), 
fn{A) C fn{P), and A' = Aa such that, whenever E \- a' and a' is 
injective. Pa' Aa' . 

Proof 

(1) By analysis of the rules that may yield Pa > Q'. 

(Red Decrypt) Here P = case M of {x}n in R with Ma = {M'y}Na 
and Q' = Ra[M[/x], given that we may assume that bound vari- 
able X is not in the domain or range of a. Since Ma = {M(}jV(t, 
either M is a variable y G dom{a) or a ciphertext {Mij^v/j. 
In the former case, ya = {M{}7Vo- so Na must be a member of 
keys{E), and therefore is a name, say K. Since the range of a 
consists of ciphertexts, N itself must be the name K. But then 
we have K G keys{E) while also K G fn{P), which contradicts 
our assumption that Eh P. 

Therefore M = {Mi}m2- It follows that Micj = M( and M2a = 
Na. By Lemma 39, M2 = N. Let Q = R[Mi/x\. Prom E \- P 
it follows that Eh Q too. Further, fv{Q) C fv{M{) U {fv{R) - 
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{x}) C fv{P) and fn{Q) C fn{Mi) U fn{R) C fn{P). For any 
injective a' with h cr', we have: 

Pa' = case {Mict'I^Vo-' of {xjTVo-' w -Rcr' 
> Ra'[Mia'/x] 
= {R[Mi/x])a' 

So we have Pa' > Qa' as required. 

(Red Match) Here P = [N^ is N2] Q with Nia = N2a and Q' = Qa. 
By Lemma 39, TVi = A''2. From h P it follows that E \- Q too. 

Since Q is a part of P, /li(Q) Q fv{P) and fn{Q) ^fn{P). For any 
injective a' with E h a' , we have Pa' = [Nia' is N2a'] Qa' > Qa' 
as required. 

The other cases are routine, given that M must be a ciphertext if it is 
in the range of a. 

(2) By induction on the derivation of Pa A'. 

(Comm In) Here P = M(x).Q with Ma = m = a and A' = 

{x)(Qa), where we may assume that bound variable x is not in 
the domain or range of a. Since Ma is a name, m, it must be that 
M itself is the name, since only ciphertexts are in the range of a. 
Let A = {x)Q. From P h P it follows that E \- A too. Further, 
fv{A) = fv{Q) - {x} C fviP) and fn{A) = fn{Q) C /n(P). We 
have A' = {x){Qa) = Aa. For any injective a' with E h a', we 
have: 

Pa' = m{x).Qa' {x){Qa') = Aa' 

as required. 

(Comm Inter 1) Here P = Pi | P2, with Pia F' and P2a 

C , a = T, and A' = F'@C'. By induction hypothesis, there is 
F such that F' = Fa, E h F, fv{F) C fv{Pi), fn{F) C /n(Pi), 
and Pia' -—>■ Fa' for all injective a' with E h a'. By induction 
hypothesis, there is C such that C = Ca,E\- C, fv{C) C fv{P2), 

fn{C) C /n(P2), and P2a' ^ Ca' for all injective a' with E h a'. 
Let A = F@C. Interaction, @, is defined so that it commutes 
with substitution, so we have Aa = Fa@Ca = F'@C' = A'. 
From P h P and P h C follows E h A. Further, fv{A) C fv{F) U 
HQ C /v(Pi) U/v(P2) = HP) and fn{A) = fn{F)VJfn{C) C 
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/n(Pi) U/n(P2) = fn{P)- For any injective a' with E h a', we 
have: 



P(j' = Pia' I Psct' 
^ Fa'@Ca' 
= {F@C)a' 

where the r commitment follows using (Comm Inter 1) and the 

facts that Pia' Fa' and P2a' Ca'. We have obtained 
Pa' Aa', as required. 

(Comm Red) Here Pa > Q' and Q' A'. By part (1), there is Q 
with EhQ, fv{Q) C fv{P), fn{Q) C /n(P), Q' = Qa, and Pa' > 
Qa' for all injective a' with iiJ l- o"'. Since E h Q and Qo" A', 
by induction hypothesis, there is A with I- ^, fv{A) C fv{Q), 
HA) C /n(g), ^' = A(7, and Qa' Aa' for all such a'. By 
transitivity, we have fv{A) C /i;(P) and /n(^) C fn{P). Further, 
for any injective a' with h fj', we have obtained Pa' > Qa' 
and Qa' ylcr', so by (Comm Red) Pa ylci', as required. 

The case for (Comm Out) is similar to that for (Comm In). The case 
for (Comm Inter 2) is like that for (Comm Inter 1). Those for (Comm 
Par 1), (Comm Par 2), and (Comm Res) are by simple uses of the 
induction hypothesis. □ 

This lemma would still hold in a spi calculus with the mismatch operator 
mentioned in Section 4.2. The case for mismatch in part (1) would be like 
that of (Red Match), with a similar appeal to Lemma 39. 
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